Ursnif 2019-05-27

Remarks

Code Overwrite Detected (0x200001f): Code in memory was overwritten during this analysis. Review corresponding VTI for more info.

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xa08	Analysis Target	High (Elevated)	sgm_20190527_desfuhohdt.exe	"C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe"	-
#2	0xae4	Child Process	High (Elevated)	explorer.exe	C:\Windows\explorer.exe	#1
#3	0x458	Injection	Medium	explorer.exe	C:\Windows\Explorer.EXE	#2
#4	0xaf8	Child Process	Medium	explorer.exe	C:\Windows\SysWOW64\explorer.exe	#3
#5	0xb54	Child Process	Medium	iexplore.exe	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"	#3
#6	0xb64	Child Process	Medium	firefox.exe	"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"	#3
#7	0xb70	Child Process	Medium	chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --use-spdy=off	#3
#8	0xb90	Child Process	Medium	chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=59.0.3071.115 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7fef4b319d0,0x7fef4b319b8,0x7fef4b319e8 --use-spdy=off	#7
#10	0xbd4	Child Process	Medium	chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2932 --on-initialized-event-handle=392 --parent-handle=396 /prefetch:6	#7
#11	0x130	Child Process	Medium	iexplore.exe	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:14337	#5
#13	0x86c	Child Process	Medium	cmd.exe	cmd /C "systeminfo.exe > C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#14	0x984	Child Process	Medium	systeminfo.exe	systeminfo.exe	#13
#15	0xa04	Child Process	Medium	makecab.exe	makecab.exe /F "C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin"	#3
#17	0xafc	Child Process	Medium	helper.exe	"C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser	#6
#20	0x250	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#21	0x248	Child Process	Medium	cmd.exe	cmd /C "net view >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#22	0x6bc	Child Process	Medium	net.exe	net view	#21
#27	0x7dc	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#28	0x610	Child Process	Medium	cmd.exe	cmd /C "nslookup 127.0.0.1 >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#31	0xb84	Child Process	Medium	nslookup.exe	nslookup 127.0.0.1	#28
#32	0x8e8	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#33	0x87c	Child Process	Medium	cmd.exe	cmd /C "tasklist.exe /SVC >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#34	0x6ac	Child Process	Medium	tasklist.exe	tasklist.exe /SVC	#33
#35	0x888	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#36	0xa54	Child Process	Medium	cmd.exe	cmd /C "driverquery.exe >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#37	0x478	Child Process	Medium	driverquery.exe	driverquery.exe	#36
#38	0x41c	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#39	0x810	Child Process	Medium	cmd.exe	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#40	0x31c	Child Process	Medium	reg.exe	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s	#39
#41	0x900	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#42	0x848	Child Process	Medium	cmd.exe	cmd /C "reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#43	0x910	Child Process	Medium	reg.exe	reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s	#42
#44	0x904	Child Process	Medium	cmd.exe	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#45	0x580	Child Process	Medium	cmd.exe	cmd /U /C "type C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1 > C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin & del C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"	#3
#46	0x850	Child Process	Medium	makecab.exe	makecab.exe /F "C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin"	#3

Behavior Information - Sequential View

Process #1: sgm_20190527_desfuhohdt.exe

1170

Information	Value
ID	#1
File Name	c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe
Command Line	"C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Analysis Target
Unmonitor	End Time: 00:00:41, Reason: Self Terminated
Monitor Duration	00:00:21

OS Process Information

Information	Value
PID	0xa08
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A0C 0x A60

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
sgm_20190527_desfuhohdt.exe	0x00400000	0x0051FFFF	Relevant Image	-	32-bit	-			... Region Actions Download Dump
sgm_20190527_desfuhohdt.exe	0x00400000	0x0051FFFF	Process Termination	-	32-bit	-			... Region Actions Download Dump Go to YARA Matches

Hook Information

Type	Installer	Target	Size	Information	Actions
IAT	private_0x00000000001d0000:+0x18de	134. entry of sgm_20190527_desfuhohdt.exe	4 bytes	user32.dll:GetClassNameA+0x0 now points to user32.dll:GetTopWindow+0x79	... Actions Go to Installer Region Go to Target Region

Threads

Thread 0xa0c

854

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:05:21 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 14783799248	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x769f4f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x769f359f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x769f1252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x769f4208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x769f4d28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76a74195	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x769fd31f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x76a0ee7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7738441c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x773ac50e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x773ac381	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x76a0f088	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x773905d7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x773aca24	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77360b8c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7741fde8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x773b1e1d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76a74761	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76a6cd11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x76a7424f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x76a746b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76a86676	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76a74751	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x76a865f1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x76a747c1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x76a747e1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x76a747f1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, file_name_orig = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, size = 260	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, file_name_orig = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, size = 512	1	Fn
System	Get Cursor	x_out = 803, y_out = 457	3	Fn
Window	Set Attribute	index = -20, new_long = 128	249	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	2	Fn
File	Get Info	type = attributes,time,size,volserialno	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:05:25 (UTC)	1	Fn
File	Get Info	type = attributes,time,size,volserialno	125	Fn
File	Create	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, type = file_type	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, base_address = 0x400000	1	Fn
Module	Load	module_name = SETUPAPI.dll, base_address = 0x75500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiEnumDeviceInfo, address_out = 0x7550a7c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiDestroyDeviceInfoList, address_out = 0x7550ae7d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetClassDevsA, address_out = 0x7550b74b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\setupapi.dll, function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x75567c71	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x76a0b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76a12b7a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x769f5a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x76a1276c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x769f10ff	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x769f14c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x769f35b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x769f4a2d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x769f7a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x769f1245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x769f5223	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x769f1410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x769f11a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindResourceW, address_out = 0x769f5971	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SwitchToThread, address_out = 0x76a0efec	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7736e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x769f1072	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x769f110c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x769f11f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76a0eb39	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x769f4467	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x769f11c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x769f3e8e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x76a0174d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x76a745bf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x76a0eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x769f1986	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x769f1856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x769f53c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x769f1222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x769f4950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x769f186e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x769f14b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x769f196e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x769f17d1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x769f3ed3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x769f3f5c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x769f4173	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x76c6fd1e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x76c2ae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75234907	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7523469d	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x7735fac8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlGetVersion, address_out = 0x7737873a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x7735ff94	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x77362340	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x773ba152	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x7736df20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x7735f9d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x7735fc70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x7735fc40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x773761ed	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = _aulldiv, address_out = 0x7739b140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77386d39	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x7735fbc8	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76d00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x76d0c5e6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76d0ccf5	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, base_address = 0x400000	2	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\570BCF04, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 102742	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	10	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, base_address = 0x400000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, file_name_orig = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x769f195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x76a0ebe8	1	Fn
Process	Create	process_name = C:\Windows\explorer.exe, os_pid = 0xae4, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773620dc	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64ReadVirtualMemory64, address_out = 0x773620f4	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773620dc	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x76a17d7e	1	Fn
Thread	Suspend	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1631128	1	Fn
Module	Map	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2d20000	1	Fn
Module	Map	process_name = C:\Windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2000000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x773620dc	1	Fn
Thread	Set Context	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn
Module	Unmap	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe	1	Fn
Memory	Protect	process_name = C:\Windows\explorer.exe, address = 4290295696, protection = PAGE_EXECUTE_READWRITE, size = 1631160	1	Fn
Memory	Write	process_name = C:\Windows\explorer.exe, address = 0xffb8b790, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Windows\explorer.exe, address = 4290293760, protection = PAGE_EXECUTE_READ, size = 1631160	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe, os_tid = 0xa0c	1	Fn

Process #2: explorer.exe

522

Information	Value
ID	#2
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\explorer.exe
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:00:44, Reason: Self Terminated
Monitor Duration	00:00:09

OS Process Information

Information	Value
PID	0xae4
Parent PID	0xa08 (c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AE8 0x AEC

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
explorer.exe	0xFFB60000	0xFFE1FFFF	Content Changed	-	64-bit	-	... Region Actions Download Dump
buffer	0x02001000	0x020392B7	Marked Executable	-	64-bit	-	... Region Actions Download Dump
buffer	0x02001000	0x020392B7	Content Changed	-	64-bit	0x02031A94, 0x0202C014, ...	... Region Actions Download Dump

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#1: c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe	0xa0c	address = 0x2000000, size = 1269760	1	Fn Data
Modify Control Flow	#1: c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe	0xa0c	os_tid = 0xae8, address = 0xfffd9000	1	Fn
Modify Memory	#1: c:\users\aetadzjz\desktop\sgm_20190527_desfuhohdt.exe	0xa0c	address = 0xffb8b790, size = 4	1	Fn Data

Threads

Thread 0xae8

522

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x27fc40	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x27fc40	1	Fn
System	Get Time	type = Ticks, time = 109481	1	Fn
Module	Get Handle	module_name = c:\windows\explorer.exe, base_address = 0xffb60000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\explorer.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x770491d0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fefd71d710	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7fefd5c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefd5c4c9c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = FindWindowA, address_out = 0x76f68270	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76fbbae8	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlExitUserThread, address_out = 0x771a6930	1	Fn
Thread	Create	process_name = c:\windows\explorer.exe, proc_address = 0x771a6930, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\explorer.exe, address = 1998219568, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 1998219568, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x771a6930, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 1998219568, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x770513a0	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SuspendThread, address_out = 0x77042f60	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2618464	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2670000	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x94b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = c:\windows\explorer.exe, address = 2617024, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2617032	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x30a0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = c:\windows\explorer.exe, address = 1998219568, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x771a6930, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 1998219568, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn

Process #3: explorer.exe

12678

Information	Value
ID	#3
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:40, Reason: Injection
Unmonitor	End Time: 00:15:20, Reason: Terminated by Timeout
Monitor Duration	00:14:39

OS Process Information

Information	Value
PID	0x458
Parent PID	0xffffffffffffffff (Unknown)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A64 0x 94C 0x 928 0x 5C0 0x 6E0 0x 6C4 0x 684 0x 324 0x 32C 0x 334 0x 664 0x 5EC 0x 56C 0x 554 0x 650 0x 640 0x 634 0x 61C 0x 5A0 0x 564 0x 548 0x 544 0x 540 0x 53C 0x 530 0x 528 0x 520 0x 51C 0x 518 0x 508 0x 4AC 0x 4A0 0x 490 0x 48C 0x 488 0x 464 0x 45C 0x AF0 0x AF4 0x B00 0x B04 0x B08 0x B0C 0x B10 0x B50 0x B60 0x B6C 0x 878 0x 6A4 0x 740 0x 91C 0x 954 0x 9A4 0x 9E4 0x 970 0x B90 0x 9F8 0x BE8 0x 924 0x 9F8 0x 530 0x 534 0x BE0 0x AC8 0x AE8 0x 768 0x 308 0x A40 0x 7E8 0x 53C

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
ntdll.dll	0x77160000	0x77308FFF	Content Changed	-	64-bit	-	... Region Actions Download Dump
explorer.exe	0xFFB60000	0xFFE1FFFF	Relevant Image	-	64-bit	-	... Region Actions Download Dump
ntdll.dll	0x77160000	0x77308FFF	Content Changed	-	64-bit	0x771EB380, 0x771882AE, ...	... Region Actions Download Dump
buffer	0x030A0000	0x030A0FFF	First Execution	-	64-bit	0x030A0218	... Region Actions Download Dump
buffer	0x094B1000	0x094E92B7	Marked Executable	-	64-bit	-	... Region Actions Download Dump
kernel32.dll	0x77040000	0x7715EFFF	Content Changed	-	64-bit	0x77063580, 0x7704E390, ...	... Region Actions Download Dump
advapi32.dll	0x7FEFD710000	0x7FEFD7EAFFF	Content Changed	-	64-bit	0x7FEFD71D680, 0x7FEFD72C310, ...	... Region Actions Download Dump
sndvolsso.dll	0x7FEFB650000	0x7FEFB68AFFF	Content Changed	-	64-bit	0x7FEFB657818	... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x00000000094b0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x216	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x210	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x224	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x21e	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x232	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x22c	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29512	advapi32.dll:InstallApplication+0x116	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29516	advapi32.dll:InstallApplication+0x110	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29512	advapi32.dll:InstallApplication+0x124	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000094b0000:+0x29516	advapi32.dll:InstallApplication+0x11e	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x00000000094b0000:+0x290f9	173. entry of explorer.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	148. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	147. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x00000000094b0000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	252. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	225. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	237. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	298. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	88. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	117. entry of setupapi.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	285. entry of setupapi.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	174. entry of apphelp.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	206. entry of clbcatq.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	110. entry of clbcatq.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	101. entry of filesyncshell64.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	142. entry of wininet.dll	4 bytes	advapi32.dll:CreateProcessAsUserA+0x0 now points to pagefile_0x00000000094b0000:+0x328c4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	509. entry of urlmon.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x00000000094b0000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	124. entry of iertutil.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	160. entry of iertutil.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	132. entry of grooveex.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	116. entry of ucrtbase.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	117. entry of ucrtbase.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x00000000094b0000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	94. entry of msi.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	52. entry of sndvolsso.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	73. entry of wer.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	233. entry of stobject.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	25. entry of winspool.drv	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	24. entry of winspool.drv	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	248. entry of es.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	87. entry of pnidui.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	292. entry of ieframe.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	749. entry of ieframe.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000094b0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000094b0000:+0x290f9	75. entry of fxsapi.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000094b0000:+0x326b4	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Create Remote Thread	#2: c:\windows\explorer.exe	0xae8	address = 0x771a6930	1	Fn
Modify Memory	#2: c:\windows\explorer.exe	0xae8	address = 0x771a6930, size = 4	2	Fn Data
Modify Memory	#2: c:\windows\explorer.exe	0xae8	address = 0x94b0000, size = 1269760	1	Fn Data
Modify Memory	#2: c:\windows\explorer.exe	0xae8	address = 0x30a0000, size = 792	1	Fn Data
Modify Control Flow	#2: c:\windows\explorer.exe	0xae8	os_tid = 0xaf0, address = 0x0	1	Fn

Dropped Files

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877}\01D51ED4E3ECF92009	98 bytes	MD5: 8300d5664c941280c3722332460aec5e SHA1: 1a5b5b62edfc00b9ad8d81e35176f819374d707a SHA256: cdcb320fb42cfda2242545901e14fcd8efe5c2ebbd6cd2ca79094c020df05b7c SSDeep: 3:Lnkrv2UMADMMNBJFN1vg1CwWEGPSNN1vv:LW2gDMMNBPXg1zLXv	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin	156 bytes	MD5: 746e3d700094446588b13eb1cd127850 SHA1: 1f9d302dc51aeb9f8adfb8c3e84808bf21c8eb4a SHA256: d0c060520fc243776ee98eae161bd9cd603035693230c0987fb3f5373526db4d SSDeep: 3:tFoYXBsJaQGQbJxzp4E2J5xAIkLW0HbRQ97xHMLH7ACLkhkUghGmSVd:tFdXBW/zpJ23fCvVQ9FHcySUkGmSVd	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ff\\3y2joh8o.default\cookies.sqlite	512.00 KB	MD5: 6389834774166f7a20359003254939f2 SHA1: 7b996a476a9f7fe763ab19c39d3dc318966d18b8 SHA256: 23b1cf9e40b9ba27ec7eb7cd01b4609e4418aba063275fb2a0aebcf28f8f8620 SSDeep: 96:Dbn5HKlV8/VDHLRilOhFTFf6FdqA9LJp6Y/e2DkrGJ6hmCcaLeU8ukONPk7iriQ:3n5HKEnhTFiPsvW7iri	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com\support\flashplayer\sys\settings.sol	291 bytes	MD5: d9ccbcbe064026d42c932347b2b1e72f SHA1: 7b9617a8407a10adb164ed86647b14ffb83ad79a SHA256: 99fee6cdbd087a572dfc2c220e33e383d98120971385c7e90fca3d2f33c0d0ea SSDeep: 6:o2RoRy/rfnxRBwbJWhppYk3QPRhJtuHiyYyczw8:kR+fnxRKb0H4XoHiyUE	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@g.live[1].txt	64 bytes	MD5: 9f04c55f87cff421e53e3ca99f73ea20 SHA1: 33c285d504d42d5f028abaa55dd2c2ad0bafaec3 SHA256: 4cf2b3be29d12a6374d98b652821b82544488f72f7ae97a54332ec039483c3c3 SSDeep: 3:U4LJMKUQ2JcFbQD7QQQQR6Z:ZEXJcBo8Z	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@google[1].txt	281 bytes	MD5: 4ad92a47e3ca837b5ec7b4fc139c3221 SHA1: 32f0a4e640534cc27a24fb4d4a639af53f28890e SHA256: 6286e1a07827a201023ea4d90b402005c93fad6b3457e750efb5990851517036 SSDeep: 6:sE3G3mOdk/p3IAnS0Lg70j84MIcmD0g8v/rPlCBn2f7FQ:sEW36IAnSygbIcW0gG/rNCB2f7FQ	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@live[1].txt	95 bytes	MD5: 7fe1b46770b1edec02b272b2f6dc7d91 SHA1: 57d8f09e6e5dc96069444d8d4d0de0d33aada7c8 SHA256: abdd91371dec97c6c397f2c764b54da2451c59f8d881b3b0b8c92fb8f8c834f6 SSDeep: 3:eNTHjlQKYXnzjTYKUQ2Lc1UOVTdXQIsQR6Z:eTHjliDjTYPXLc1fdF8Z	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ad.360yield[2].txt	443 bytes	MD5: 349063a08e23fe42f87f331738f500ab SHA1: 495edf3de6f1855d4475636b61a9ef20b8a67fb4 SHA256: e4533cc58099e0e57a4682c7b85f102735f617031ece33e346f9e1ce72becdbf SSDeep: 6:654LYiDW0MyREmVj/qnjc9MyREmVj/tVQvbDPj5+WMyREmVj/hrmuyREmVj/n:Gyprlmjc9trlSDPjbtrlhrErln	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ad13.adfarm1.adition[2].txt	89 bytes	MD5: d36376ffd512293f10f54b05339f5fcc SHA1: a657dbfcad15f05f579046a79d811dced34d2626 SHA256: b3730ba9d5755b8e132847ed41d1e7d26a7bb5fe1e1af12b99cf4e915cff5c7c SSDeep: 3:39E1CRI0Xv7YfWUyRASTaXWLTc0LZ/:tE1CRIVWUsNaXWtB	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@addthis[2].txt	179 bytes	MD5: 425f569793e03058495b8ddb41647dbc SHA1: 0b0a2f9b2f35b94da0d272942aeca2f0299ffad4 SHA256: ab9196fcc65d03f3a109469cfdbdc5cbacf9e63429b3a87807e1c361633266ef SSDeep: 3:Z0QUJGUQQSnL20Xv7YebYl+cczT749qXvtXzCqscrX20Xv7YebYl+cczT749qXvn:6h7+t/75/tXXscC7+t/75/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adfarm1.adition[2].txt	101 bytes	MD5: 05e47f75ad4c57aecc2cd087b11a5ed0 SHA1: fb2065bcb79606c392848b78cf3256ed5f3a55f3 SHA256: 1acffc57281297470896734f90e6dcea2b9564ae2cc949ecc3101287eb82ffde SSDeep: 3:jA82pTTSIklRI0Xv7YfWUyRASTaXWLTc0LZ/:atlklRIVWUsNaXWtB	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adformdsp[2].txt	93 bytes	MD5: 7780ebfe715c98bc46685817d227292e SHA1: 39124bec544f6ee71b082c9d5dfc40f8e03e4621 SHA256: 9c58c449db1a30a726b4e0193f0fecef7912c5b91ad13a4e173d56bc0516f902 SSDeep: 3:ZSSTNRFFyIvKvXv7YeEkaRLSgm59qXvn:XtFyZgNB/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adform[2].txt	302 bytes	MD5: ede7810617586a3ac574242d8549bf3f SHA1: a53b84555a12482a8e8c9f9b7db6d30d9017dcbc SHA256: 27d67899d4718c659a59fcb38b617e8adb669b45321aab5fec4178891300a675 SSDeep: 6:oPcEUUdOV3wQ/twCVWB/fgUcRV8Q6/nXtFyvjmzQB:o7Ywmt8f6AnXtFyvjmzw	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adnxs[2].txt	745 bytes	MD5: c6bbc80bcccf4b3ca5083c1172f4113e SHA1: cadab93387c57abd346cf4e8aaf355da4e7b9b4a SHA256: 4e8b03d82c41395a2a138357a3571d9769b6eedd328688875949ad7bbc4504dd SSDeep: 12:q6P6cm+JV3qUg25fTs5hI+hdj7pzehH8+WnuMVFCl0QQeSe50F:b6cTJRNs5hIaFdzehBWu85m50F	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adscale[1].txt	87 bytes	MD5: a8b14909816b0779c38d923ab73d9dda SHA1: 9ac149f9daa446a420c1130f869404143732afa1 SHA256: 3836fa428fe17627975a611dbc38d6bf95aad3cb85a29882e84e069641019220 SSDeep: 3:FJWWUDLgJNKvXI+YfTf12W5Sz+UVY59qXvn:7zjuSToW2V/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adserving.ancoraplatform[2].txt	251 bytes	MD5: 4d450b81ad0b6a080a5ebebd9e337aed SHA1: 4709ab9ac314d7ef09033ab89f9275ec70361ae5 SHA256: 1b2b4ec56577b4a76d4b3cc64f4250cf4282a3e4541c940ec08e348ab8428c0c SSDeep: 6:qnRX6qjeva0/UBtuzG8TRUpRz0X6qjeva0/n:mnav9UDuq8TRUp0av9n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adsrvr[1].txt	243 bytes	MD5: 0ec4eca358f2237af0c42934b621b5ce SHA1: 1b2702ca9ca93ad1a7a12e45551947784b710115 SHA256: 320b7e1cd1967e6486009be629c4f2a2235fa06d554d37a16458731b3c392c5b SSDeep: 6:A7GDQEvDgAUuvQU7Y0/CxpV7VRhYyLv3LnlcZvQU7Y0/n:ACMEWrUbCxp1VzBLvDRUbn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adtech[2].txt	102 bytes	MD5: 452a82aabe089eb4f4c3d43ee47718d6 SHA1: 365464a30fda807c7c71d2114830f30eab179018 SHA256: 94799bee1444440eb85563de077c6a8407e8308a58165e97ca399201fd764c02 SSDeep: 3:JhTWQU9XUNqUkSuFoAGNLBI+YeL/4v+UQdTZRvW59qXvn:XI1vUUCB//4v+Jdzvx/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@advertising[1].txt	280 bytes	MD5: 55662c26c06c19949d929d644a4023b0 SHA1: eec41d2cbfd19571ec95a3d93d370c3a39da83cc SHA256: c1a3144e95ef49ea7033bf2323b80180d3e9bc5bb119c02e0fcfebd5a2fff482 SSDeep: 6:9sFu++eLXyFo2HyScX00x/TQDeLXyFo2B:9LGSV05Ted	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@angsrvr[2].txt	222 bytes	MD5: 785fcd708700916091a19dc7f57f4a63 SHA1: 2bf7e38cfb2955ec8203fb8d6098ff98bd7fccb6 SHA256: 541fbf6a39469e0e5138e803b839e9fd4dc524d1fbb0dd3599a369eb287c866a SSDeep: 3:FA2fEWAU8ImHJVoEvv7Yea1Zd6U5Wvvg9qXvQFMBIhXCWLIaTNRFoU3gFpWXhv7v:xEHHXAN5Wv5/QFAcXVLtJtXEN5Wv5/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@api.bing[2].txt	223 bytes	MD5: 544e2ee97b0f59feb1db3dac906e74ae SHA1: 69c7499fbb3499e38d37393e2c306b3c6ed7c9fa SHA256: b90bb9ae2699f3ccec9cba7457298089d24f3d9d0cc64b6049818753a1e08390 SSDeep: 6:zCAVdUncGav+R6UB/YNoIjjgj6J+OXuv+R6UB/n:zJnu6qYNogIEX2u6qn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@at.atwola[2].txt	515 bytes	MD5: 5973db3528805734eae11aa1c71cc886 SHA1: ace5a185db15c1322b6ba03cefda0627e799761d SHA256: 261a1b6500e0861d12d628bca83b1af9f9456b82051ebfe57e5fdf416a7c4136 SSDeep: 12:9iJshlE9JshloLrfDXfJshlWX4AvRv5q/uIOUT4AvRv5n:99l7lovDulavRv5OuIjrvRv5n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bidswitch[1].txt	289 bytes	MD5: 7330b4edde97909318145138010da381 SHA1: dd13126f2259645e4e3a3bb720734ebbae5ae1eb SHA256: 2ffe7d9bda989e0d7078005326d895cc1b199ac69470bffc411bee6222ee3153 SSDeep: 6:6AtuzG8TRUFkqJU1j/qnjkXQkqJU1j/EYkXQkqJU1j/n:Puq8TRUFjUFmj1jUFEY1jUFn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bing[1].txt	264 bytes	MD5: de26f80226655361c9cdd6fbaee26c0c SHA1: 3ad2b95ea1f5dd11bf36ef75b5113c8e383b8db3 SHA256: 332907b5b80c12d3bde3597ce177768305c00d0e6d8f5a83062afa34942c3db5 SSDeep: 6:Ejjgj6JZ56sv/SW3omv+bT//p/ev+bT/n:sI6njSd+K/dGKn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bluekai[1].txt	162 bytes	MD5: 7b847ac4e71703833c0b4af722540658 SHA1: c952b7bd03a3ff328bf945dc71439afc6793d782 SHA256: f60ff8ba4df3741c025001ab4ad4c7aee8f61c80ef0265f49e1d79ac0ad143d6 SSDeep: 3:pNN1gyTuv7YfSuW5W8Skrg9qXvuQDecYJ1JRoyTuv7YfSwgJW5W8Tim59qXvn:payTVSZFrx/LecioyTVSwpiB/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bs.serving-sys[1].txt	93 bytes	MD5: 0caeaad9af0a20b16d10228f6f696c74 SHA1: 064061efcbeb33a18ed578212d4532090b6a05b0 SHA256: aa2ae12ddaa10b7edee5aa79012c83e1066c9b6c29ef8e7e8ccb336c176e9616 SSDeep: 3:5AHKWqkUVZsHdyKvXv7YcYYSc/gp1Qo49qXvn:NWqdDsHcXYSc/gp1v/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bs.serving-sys[3].txt	111 bytes	MD5: a7418dccddf82410a611a0c79f6b7c99 SHA1: edb72021e341c82defc1e678665a24c93f3cc7d9 SHA256: 53379b933d725e0d217785f3e4458436decbf23b8e412430003ba0a858857484 SSDeep: 3:1XXM/KT/LHdyKWAXALCMYeFCVGoRVkLZ/:1XXMyT/jcNyA/CQc2B	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c.bing[1].txt	560 bytes	MD5: f07537748c17e17f72658a27a025dafc SHA1: c2a20a4156e605818752235c631f6300d6fe810a SHA256: 9a69de0652fe8324a6d5d0469fd6d3aea8ad029364aac1bfd0e5454837a448c6 SSDeep: 12:8uvNYz+Fm/4pYNogIYkXqiCWSYxNIY2KYBExpnghY6RIY2Kn:8gNYSFxr6iCpYaKYQpghY6EKn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c.msn[2].txt	130 bytes	MD5: 2ce490761cba48f1f4ca4c0e41e38ffc SHA1: a78bb96f0dc35cb8046903a32d1ee7b83d1afab8 SHA256: 171a52b59dce13dacbdfe0c84b5ba1a99ed78f9f8f918fa6aa0b41be5d60e6c5 SSDeep: 3:U8LfyKfUVXJXiT3W5W80cQw9qXv8tuvF2yKfUVXJdQCdhvWEJcQw9qXvn:FfZ8VXZiKqhB/8tuvQZ8VXTQIzJhB/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c1.microsoft[2].txt	144 bytes	MD5: 6094cbca564f2b56483e4920d86e154b SHA1: 9c4f8c0abafe901ddf25350d2c1bcf0f59f80723 SHA256: 905a79cf1772e3b13914774691d2fa4af231ee76347e9b77a5d7b4517a9c9263 SSDeep: 3:U8ULA+tRMVXJXiTOgJW5W8TeUC59qXv8tuvFQ+tRMVXJcHQXXvWEBUC59qXvn:AA+DMVXZiupLV/8tuv6+DMVXv/ziV/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@casalemedia[2].txt	537 bytes	MD5: f14055b0888ad6d050f664d481e4877c SHA1: 45218b265962370893368ecaa75b59f88b7b437e SHA256: b7a83fbf73ceb890890b11ed8201ecae2d6192426ee18984dbddfe378f740117 SSDeep: 12:Bx/eUKSfbNMSf3NMSf8FA5f8FA5fNOOgwleUKSn:BpeURTNMSvNMSUFckFctleURn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@connextra[2].txt	325 bytes	MD5: 67b01882dfc129bd00262fa371f6a741 SHA1: 41bba9d36c9c525c3493be72bb50790ed56f757a SHA256: 8797b11dcc9d20fe3d5a2e5fce9fc4352d0e4a78dbba6e3f238237563dd23772 SSDeep: 6:KOBU9JOXQaVVv+jB/XhRl0tSj3lDCKf3AAPIf3AAESzOJMXJUKWB/n:IAXVVvsXhcgj3IKfs3OgUKwn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@crwdcntrl[1].txt	296 bytes	MD5: cdd6ddcd7f92395e37212749dc65f0fc SHA1: 0b52bd48fd424234e822c6adfecc1ddcce1382ee SHA256: 07453614e795fce6db1483b47c20125eacd398c49047535b2141ad527efe604a SSDeep: 6:BqIWBXv+zKWs6iVY5/DMHAZhXdVVLzKWs6iVY5/DghzKWs6iVsVJx/n:BqIWBXv+zKxVYhDoAZhXXVLzKxVYhDOt	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@demdex[1].txt	111 bytes	MD5: 266e18cdbe93733eed5e605620adc691 SHA1: 1730bd6e6b9fd409a4520cc64e0d64be76bedb81 SHA256: 776340cfb7c888a3930164adb29ccdbf020916a541b4319ae00705da4a6625f6 SSDeep: 3:+elRWdTGVKVVBPFOLv7YfSuW5W8ZT749qXvn:HzWd2K/3SZH75/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@doubleclick[2].txt	274 bytes	MD5: 691dd0aa35837e8ff4d89fef2455df22 SHA1: c65765886e18410984bd5968624fcc76e328aec3 SHA256: c8689ac596de5e6579a0b756d47f9033642ce71b526daa25ed67b19ad6744f99 SSDeep: 6:AoXjf+ouDFGEWjYGv+R2OV/Fjo41kCxD9nnjYGOXuv+R2OV/n:AMuDFGEWMeu20z/D9nMzX2u20n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@dpm.demdex[1].txt	112 bytes	MD5: 62d977d377a32f44cd4626c5b129d8ef SHA1: 63ee183dc5b3d648b1bf1186dfb8532ea3604458 SHA256: 00f3c6b0e4003a65c482d22468df8a8b1eb2400ace4dd007c94b222ff8adff78 SSDeep: 3:WQX1RWdTGVKVVBPEALv7YfSuW5W8SfZRvg9qXvn:W+Wd2K/SSZKZRvx/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@exelator[1].txt	342 bytes	MD5: e2297c72be318b191a50c42ba9e65230 SHA1: cd19821c7a7e6f480b2d976fc7895d1d3950021c SHA256: 7fce39f674360ffb4f264ceaadf216184bb080c3d6830ccc791c4940e236496c SSDeep: 6:TCjVLkQDzBYUcG2OxAM/gAvMp+ZuHqMPvrTIM2y1cTjes2s3XQ3xUcG2OxAM/n:TCjVIYqUcHogvp+ZuKW3weWes2snQBUT	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@eyeota[1].txt	103 bytes	MD5: 097371c2c720667ee156c6f9ae4e11f0 SHA1: 81787f3f65f24cd735c2f20999380538b05af802 SHA256: eaef0872449cd292284cc792e7dbe5e5645c686cc126c269da24af2eb45e4e50 SSDeep: 3:5l7MrBN4HScFMDnHF7d4v7YcUJeZsbmW959qXvn:fE34RMhpZJUKi/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@google[2].txt	194 bytes	MD5: 41e320b0887eac88f73cd72e0e7e4c47 SHA1: 634150fa4bc78ec2296e29fefc272bee3bf5eee9 SHA256: 23ab8341422219f13372d5b0ddfcfeda1e641392743a5d3d9663e1b68901db65 SSDeep: 6:sUrvMGGCbpDd7htEbv38PiI5RW1mGwmiNmvwz5y:sq3HEmWTwmkmvi5y	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ibeu2.mookie1[2].txt	311 bytes	MD5: e35ae2af41fa685603e8d0fac9898b10 SHA1: cc0f204758b5d597805a5463dad1333f57a36c66 SHA256: 81f050e285f3510bfb6dffb48fe89aef4795b97af8cbdca1e73a765c1e954b6e SSDeep: 6:GON+dRh8pWgsTBTW7BaGYIuTTBTU9uUMXiU1Jx/uwa8IVFTBTU9uUMXiU1Jx/n:ZNbYgsVT0BaGoTVTU9uuUL5E8IVFVTU8	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ih.adscale[1].txt	129 bytes	MD5: 3583c4ed74fe486dc971e510fae454bc SHA1: 31114cf4d88542b9ebb680da91e5387a6bf6240e SHA256: 691141731d671a9d568d0ea068853b4eb1b404b008af62a5caadcacb98e305be SSDeep: 3:IWByxbIOzNRFgXxpfBBgKEg40E07YeU7WUSR4Zd7h+UVY59qXvn:IW1ONMBgfp0EzTrVhrV/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@linkedin[2].txt	269 bytes	MD5: a92f18a2291b4a049067c2171a5a21e6 SHA1: 384999cc2ed8416c9e16d1b965317e1fe41186f3 SHA256: a9eda19fd668fbc9216ae75a0a3675cb0f903a0b3311da40f5d2f87220885c72 SSDeep: 6:ABYgA8GB396TDGS6mdcwMJx/S2VdzfNFnF01eEpTPUMQfwMJx/n:edGR96TJQwSSoIe4TiwSn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@m.exactag[2].txt	118 bytes	MD5: 91690f09812c5f0813d6424c8d8478d0 SHA1: d4f48ed6643a1b8235198ae4993b256d19e1441b SHA256: 6cef9b8d8107aab7d5d5a5c7f89abf22868bbb00d26199685ad06b85b82db06a SSDeep: 3:4i30DEWDtblSBDLeAdEGRuGvXv7YfRLAqeZs2aI+LZ/:4iEYsIBDq4EGuJdUg5B	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@mathtag[2].txt	289 bytes	MD5: 59f244cec8fe03a5a8f394de55d15896 SHA1: 8166099f7d256efc72cd83874ed55cb0fc68b589 SHA256: d8bd84b23169f77551f4d1c2783c5886c2b6d88a8a55814ddec76cd6403c5f9e SSDeep: 6:iisE8nDF9J1Uc0/dJDWfm0fiWc3FFfSLUczo5/n:9GDF9JecSLDWfmJNXfBcUhn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@microsoft[1].txt	577 bytes	MD5: be3594804bdb63505e727fc044d27797 SHA1: 3015f498263967cd6d83fbce420a5039f4399c35 SHA256: bd892cae68ce3277fe193fb642a52d923568aadda7c01c5f8b9affb3d905afa7 SSDeep: 12:FNzjXbLM7rcq3aBzsdxtycEx3uDEwpbgFAwBuDMTVT95QXIaDM9GX7Tln:FlrbY7r3Kzu35eutyeQfmT7Tln	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@msn[2].txt	823 bytes	MD5: 7cb1506682d8806cc94df145d167a35b SHA1: b103d4281445f30b689fff9f12bf12b6bf83b2a9 SHA256: f492bf5421a8026c9c3223870b228b50ec6ba0f0bf035ad906f6cd9f1548d2e0 SSDeep: 12:uFJLs4X+QMzpdXi3c8PVPepzM5UPkM5UPLhDOFkQKEx99MnQWY6YGsBTVxqq8TVS:uYaQddeD2UUPbUPLdakuUQWZtsatHUTn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@openx[1].txt	114 bytes	MD5: cd6efa3586b36158471d799f7dea9203 SHA1: 9d140d7951e687cd680ff562b57ed6485735727c SHA256: 6c64105061ed480870801751d8807108229104cd31c1ff0656ee9a07d9681231 SSDeep: 3:uB6IcLuzHy06HhcmWLBLv7Yc2SdJeZsb97O59qXvn:O6IcLa8h+UKT/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@pixel.rubiconproject[1].txt	111 bytes	MD5: 3dadea17b5cb989b4b62d1100544018f SHA1: ec8899d3470ac3223c8bc003c080abe07de81d2a SHA256: e34a99e2e1b0c407c0fd6408459807f520dec7798a349aabee8a6ae8785a6027 SSDeep: 3:nvqVNcSy/nmNMKsQ94RyK/v7YeU7WUSR4Zd7hG49qXvn:STJCmNMTQqRZkTrVhG5/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@pubmatic[2].txt	187 bytes	MD5: 613f9c53ae10c0692f3476c65c1f0a03 SHA1: beace35c7eded7c8bb93eaf01bb1dbcc350b4efe SHA256: f7fbf563dca6c05536971b0e5119c88ce54c856cd60e3e62b9ae2b3190ee08cf SSDeep: 3:BqVsIvXMPgNRFUQHIwLd/v7YeVRUU1Zd7tzT749qXv7IwLd/v7YeNLFSVnQT749o:BqVsS4mJ/ZBSUrVt/75/7/ZhEnI75/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@rubiconproject[1].txt	298 bytes	MD5: e7db79ff27ba59c473ed375898871045 SHA1: cf11fd4715d2d8c56319d7f8c244ef64ad865210 SHA256: c7d1d64af9334a17b3111b45d833170193793df72b9bbf6e77a8d8bbf4d6bb78 SSDeep: 6:GRBlHwqRZkTrVhG5/j8cmt3qRZaSPmq5/KoUQqRZaWInT4y5/n:GRX3ZCGhYcmt6Za3qhKoKZaN0yhn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@scorecardresearch[2].txt	204 bytes	MD5: 98e92029d9f2bf1a02be68fefcf9b97e SHA1: 964ff54971fc3afc4e8e92cb1a7a7d0ff80b8400 SHA256: ff26db0f5f21756af5e23ac4654adabaec898dbc2eb99d61e6ccbe89ed8ade81 SSDeep: 3:HUHW/wWWChcXwjLRA+mv7YeJlmXfWMe9qXvfCgjLRA+mv7YeJlmXCDrg9qXvn:HlKURQlOWMj/fCURQl9Hx/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@semasio[1].txt	90 bytes	MD5: cd1383de192459a569e41b51bdf875bc SHA1: 9690b05b9d9b44a1d8dc3853774b76d32f07fcbf SHA256: b7aeff232785ee8c3a12843ae3248de3002134457fdc7ac85928374f4ec155cf SSDeep: 3:ZMAOxLLLzPv6NljficfW5W8T59qXvn:WAOx/KzmpG/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@server.adformdsp[2].txt	108 bytes	MD5: eb2e688ee64880d479b233dcd7f6a29a SHA1: a11a376762babacc44c8d6b6c4007cafe51a5b47 SHA256: 296a1c87210984f2646e26c3ec199056d9e3ca558a907842e590575613916cfb SSDeep: 3:lBT6STNRFqVjrQIvKvXv7YeEkaRLSgm59qXvn:lBdt6QZgNB/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@serving-sys[2].txt	460 bytes	MD5: 9ac10a5e549a9ba138a8d7ec7d33b752 SHA1: 2626bf4c6fe24d87f060e4b6b7ec488eb86afcbc SHA256: 3b2062bfa93f93f4dd2b50e418ccad01f15ad9aa479e22c1f689fa926f10fa04 SSDeep: 12:IZx2vNnbNJtF/VTsQcIaFQcIab5xf17dQA:1vNnbNJ5bAqAb5Xh	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@serving.experianmarketingservices[1].txt	413 bytes	MD5: df3e96d630d4a5877668e330023660e0 SHA1: 3aafe459af5db3bdba3379daf596819e38270e1d SHA256: 9f2fed7838cc78ca53c313a5a348354cf5b86513152289add24db6996398b42b SSDeep: 6:6AtuzG8TRUbKQXx5fTJcEXK0/qnjO3QXx5fTJcEXK0/t2XtuzG8TRUpRtQXx5fTT:Puq8TRUvDVtmj/DVtGuq8TRUpkDVtn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@smartadserver[1].txt	287 bytes	MD5: 38f6121f03a37dbad3e4299a5be2faae SHA1: d36bfdecaff3f36bd6a1293adb4b7677cd13f69d SHA256: f73ef83f8cbe4855d0cba659fe77aee5130f9981df2d95e14bd35edd08095a69 SSDeep: 6:++CsCvWDHajp/n8bsCvWDHajp/LvtXI1sCvWDHajp/n:+SCv8Cx8QCv8CxLvtNCv8Cxn	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@tapad[2].txt	198 bytes	MD5: 65a96b04458eda07a469dcfd9dcb0aca SHA1: 318242d3f63ebe8b377dc772dbe201fe8bde68a1 SHA256: 40944b9a3d139290a24ffbc76a85bf1804b34673baaaa8b0bb9617b7c51b2b42 SSDeep: 3:WkHKxoRVrv7YeeSLS0ZRvg9qXv9JVNIERYUvdHIvT+XBmJxv7YeeSLS0ZRvg9qXv:Wkq68ItZRvx/jIERYquipItZRvx/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@track.adform[2].txt	177 bytes	MD5: 58d3c92809d1d0f90a66b0ef1fb169eb SHA1: e3a015a590901821fe7af8446fcc9ba9fb1618df SHA256: d9dcdd248af850b28807d748a769c8b7d5c5212ac1fdc6ba429e4b29f2c07204 SSDeep: 3:xRXE1oQITv7YeLcQLS1TTC59qXvCUT6STNRFqVNvkoQITv7YcwjSZRXZQZ/:kuQgvOTB/XdtOQvjmzQB	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@turn[1].txt	87 bytes	MD5: 65f37b2d5d5025a20e7b58f0ccfa98ba SHA1: 740c7d0f087eb53c3b9fe2247eece2c9c02394c3 SHA256: ea2c10eca2514a9303cdb37199260011961c8b77afa176249b105a4f3b79b5f9 SSDeep: 3:ZMjoeYpvXv7YfSP3W5W887O59qXvn:dpKSPmm/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@w55c[2].txt	89 bytes	MD5: a3363029fa13101f567e0c5ce868f576 SHA1: 615d1e327c2df9a5dfa81253015b5c1d49b16203 SHA256: 13d2318ba313945e4fe52bc97f4881a91691b9cb925265c7c9fd0bdf21daaefb SSDeep: 3:442CAjfP/Lv7YeMS6XvWDHTWeNdV2Z/:471j+XvWDHaodIB	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.bing[1].txt	117 bytes	MD5: 66d2088d8d2343443be752038e07213c SHA1: e164d80a3071df692d3281ab29828b5842e22bf1 SHA256: 176f2e5e6e4aa9c7fb48cd137b29d0504594865668925b0d927e5296f84f2f1e SSDeep: 3:zCshvjw2j9s4RBG5Xv7YeNYVv+WcO9qXvn:zCADrzv+bT/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.linkedin[1].txt	168 bytes	MD5: 5e15c2fa34e0bd66cfcd4bf729eedffc SHA1: db959aa76ae55790aa6bc3f7811bc880612def3e SHA256: f585e197f351085982ad39d1c4536ad6752452d806f5d463f9303de24c84d914 SSDeep: 3:sUcmbc/+sT90dbGtVigR5skCtr9KvBTKfXv6NPXdXS6FkdcwMJW59qXvn:AmSF90dqthRahqBTJ1ZS6mdcwMJx/n	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.msn[2].txt	1003 bytes	MD5: bebef28f495eda7703ce649ef91e7767 SHA1: 5beb824bf210119e1f3e6f2ea1300bd1b6e5a9c3 SHA256: c28580cfe615196150d548bd934aae33c8b6684e0d324659d13bf26d4d879ca9 SSDeep: 24:YTfyr8bPXhHYkCbw665UJ/02y4OpRgj4Kd+R+oRjOcmFQPYQn8:QrPXpYkawiJ/0KOpisKdbmOHQi	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin	159 bytes	MD5: 5e18cf92dd6e9b29915e1ff031a02ec4 SHA1: fd427764c308296721d3ce56915ac5ed3236c8f1 SHA256: 3373d2768b603e2e396b679a58f161f77327da89fe05fa4620d12936646d75dd SSDeep: 3:tFoYXBsJaQGQbJxzp4E2J5xAIkLW0HbRQ93HsLf1Jxzp4E2J5xAI/:tFdXBW/zpJ23fCvVQ93q9/zpJ23f/	... File Actions Show Properties Download

Threads

Thread 0xaf0

1984

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x6adfe90	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x6adfe90	1	Fn
System	Get Time	type = Ticks, time = 110121	1	Fn
Module	Get Handle	module_name = c:\windows\explorer.exe, base_address = 0xffb60000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x770491d0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fefd71d710	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7fefd5c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefd5c4c9c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = FindWindowA, address_out = 0x76f68270	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76fbbae8	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Window	Find	class_name = ProgMan	1	Fn
File	Create	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe, size = 1158144, size_out = 1158144	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_USERS	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x7fefd721d70	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7fefd5daf54	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7fefd71d6d0	1	Fn
Registry	Open Key	reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_USERS	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Mutex	Create	mutex_name = {AE7A4847-3582-10AE-2FC2-3944D3167DB8}	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7fefd330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7fefd71dc20	1	Fn
User	Get Username	-	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetThreadDesktop, address_out = 0x76f5a850	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetUserObjectInformationA, address_out = 0x76f4777c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseDesktop, address_out = 0x76f4d850	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77321050	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	171	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7fefd5cfb70	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x7fefd721dc0	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x7708ffd0	1	Fn
Process	Create	process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xaf8, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130571264, size = 616	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 4128768, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 4128984, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 4329210, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Windows\SysWOW64\explorer.exe, address = 4329210, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Windows\SysWOW64\explorer.exe, address = 0x420efa, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Windows\SysWOW64\explorer.exe, address = 4329210, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x770513a0	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SuspendThread, address_out = 0x77042f60	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xaf0	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 112063248	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9b70000	1	Fn
Module	Map	process_name = C:\Windows\SysWOW64\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2c0000	1	Fn
Process	Get Info	type = PROCESS_WOW64_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130567168, size = 20	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000945664, size = 36	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087392, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088224, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090272, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090472, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091368, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090952, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7134608, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136864, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137064, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137656, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137856, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139080, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139512, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139640, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139768, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139896, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140024, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140152, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140408, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140536, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140664, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140792, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140920, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141048, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141176, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141304, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141432, size = 80	1	Fn Data
Process	Get Info	type = PROCESS_WOW64_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130567168, size = 20	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000945664, size = 36	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7084216, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087392, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087520, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088224, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088144, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088376, size = 68	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090272, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090192, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090472, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090400, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091368, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091296, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090952, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090840, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7134608, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091192, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136864, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136784, size = 66	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137064, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136992, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137192, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137392, size = 54	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137656, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137584, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137856, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137784, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139080, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139008, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139208, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139512, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139408, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139640, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7148368, size = 74	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139768, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7148456, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139896, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149552, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140024, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149840, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140152, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7150968, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151040, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140408, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7155592, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140536, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149912, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140664, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149992, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140792, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151112, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140920, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151184, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141048, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7155152, size = 54	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141176, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7157248, size = 226	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141304, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151256, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141432, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151328, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999896576, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999900672, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999904768, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999908864, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999912960, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999917056, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999921152, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999925248, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999929344, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999933440, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999937536, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999941632, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999945728, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999949824, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999953920, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999958016, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999962112, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999966208, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999970304, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999974400, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999978496, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999982592, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999986688, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999990784, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999994880, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999998976, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000003072, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000007168, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000011264, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000015360, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000019456, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000023552, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000027648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000031744, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000035840, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000039936, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000044032, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000048128, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000052224, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000056320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000060416, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000064512, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000068608, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000072704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000076800, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000080896, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000084992, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000089088, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000093184, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000097280, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000101376, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000105472, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000109568, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000113664, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000117760, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000121856, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000125952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000130048, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000134144, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000138240, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000142336, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000146432, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000150528, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000154624, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000158720, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000162816, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000166912, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000171008, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000175104, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000179200, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000183296, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000187392, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000191488, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000195584, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000199680, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000203776, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000207872, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000211968, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000216064, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000220160, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000224256, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000228352, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000232448, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000236544, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000240640, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000244736, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000248832, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000252928, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000257024, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000261120, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000265216, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000269312, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000273408, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000277504, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000281600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000285696, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000289792, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000293888, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000297984, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000302080, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000306176, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000310272, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000314368, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000318464, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000322560, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000326656, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000330752, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000334848, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000338944, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000343040, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000347136, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000351232, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000355328, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000359424, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000363520, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000367616, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000371712, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000375808, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000379904, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000384000, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000388096, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000392192, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000396288, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000400384, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000404480, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000408576, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000412672, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000416768, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000420864, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000424960, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000429056, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000433152, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000437248, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000441344, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000445440, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000449536, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000453632, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000457728, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000461824, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000465920, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000470016, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000474112, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000478208, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000482304, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000486400, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000490496, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000494592, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000498688, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000502784, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000506880, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000510976, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000515072, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000519168, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000523264, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000527360, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000531456, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000535552, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000539648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000543744, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000547840, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000551936, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000556032, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000560128, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000564224, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000568320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000572416, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000576512, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000580608, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000584704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000588800, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000592896, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000596992, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000601088, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000605184, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000609280, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000613376, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000617472, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000621568, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000625664, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000629760, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000633856, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000637952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000642048, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000646144, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000650240, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000654336, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000658432, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000662528, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000666624, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000670720, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000674816, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000678912, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000683008, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000687104, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000691200, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000695296, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000699392, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000703488, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000707584, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000711680, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000715776, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000719872, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000723968, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000728064, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000732160, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000736256, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000740352, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000744448, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000748544, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000752640, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000756736, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000760832, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000764928, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000769024, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000773120, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000777216, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000781312, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000785408, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000789504, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000793600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000797696, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000801792, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000805888, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000809984, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000814080, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000818176, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000822272, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000826368, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000830464, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000834560, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000838656, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000842752, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000846848, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000850944, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000855040, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000859136, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000863232, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000867328, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000871424, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000875520, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000879616, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000883712, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000887808, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000891904, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000896000, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000900096, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000904192, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000908288, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000912384, size = 4096	1	Fn
Process	Get Info	type = PROCESS_WOW64_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130567168, size = 20	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000945664, size = 36	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087392, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088224, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090272, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090472, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091368, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090952, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7134608, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136864, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137064, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137656, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137856, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139080, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139512, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139640, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139768, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139896, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140024, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140152, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140408, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140536, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140664, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140792, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140920, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141048, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141176, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141304, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141432, size = 80	1	Fn Data
Process	Get Info	type = PROCESS_WOW64_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130567168, size = 20	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000945664, size = 36	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7084216, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087392, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087520, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088224, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088144, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088376, size = 68	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090272, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090192, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090472, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090400, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091368, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091296, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090952, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090840, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7134608, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7091192, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136864, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136784, size = 66	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137064, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7136992, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137192, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137392, size = 54	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137656, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137584, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137856, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7137784, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139080, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139008, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139208, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139512, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139408, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139640, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7148368, size = 74	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139768, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7148456, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7139896, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149552, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140024, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149840, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140152, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7150968, size = 58	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140280, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151040, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140408, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7155592, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140536, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149912, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140664, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7149992, size = 64	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140792, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151112, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7140920, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151184, size = 60	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141048, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7155152, size = 54	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141176, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7157248, size = 226	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141304, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151256, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7141432, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7151328, size = 62	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999896576, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999900672, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999904768, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999908864, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999912960, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999917056, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999921152, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999925248, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999929344, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999933440, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999937536, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999941632, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999945728, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999949824, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999953920, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999958016, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999962112, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999966208, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999970304, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999974400, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999978496, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999982592, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999986688, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999990784, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999994880, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 1999998976, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000003072, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000007168, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000011264, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000015360, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000019456, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000023552, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000027648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000031744, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000035840, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000039936, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000044032, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000048128, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000052224, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000056320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000060416, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000064512, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000068608, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000072704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000076800, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000080896, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000084992, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000089088, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000093184, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000097280, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000101376, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000105472, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000109568, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000113664, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000117760, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000121856, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000125952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000130048, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000134144, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000138240, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000142336, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000146432, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000150528, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000154624, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000158720, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000162816, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000166912, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000171008, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000175104, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000179200, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000183296, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000187392, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000191488, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000195584, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000199680, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000203776, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000207872, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000211968, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000216064, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000220160, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000224256, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000228352, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000232448, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000236544, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000240640, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000244736, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000248832, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000252928, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000257024, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000261120, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000265216, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000269312, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000273408, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000277504, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000281600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000285696, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000289792, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000293888, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000297984, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000302080, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000306176, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000310272, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000314368, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000318464, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000322560, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000326656, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000330752, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000334848, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000338944, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000343040, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000347136, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000351232, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000355328, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000359424, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000363520, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000367616, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000371712, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000375808, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000379904, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000384000, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000388096, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000392192, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000396288, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000400384, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000404480, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000408576, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000412672, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000416768, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000420864, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000424960, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000429056, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000433152, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000437248, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000441344, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000445440, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000449536, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000453632, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000457728, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000461824, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000465920, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000470016, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000474112, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000478208, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000482304, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000486400, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000490496, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000494592, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000498688, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000502784, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000506880, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000510976, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000515072, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000519168, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000523264, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000527360, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000531456, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000535552, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000539648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000543744, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000547840, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000551936, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000556032, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000560128, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000564224, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000568320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000572416, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000576512, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000580608, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000584704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000588800, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000592896, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000596992, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000601088, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000605184, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000609280, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000613376, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000617472, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000621568, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000625664, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000629760, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000633856, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000637952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000642048, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000646144, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000650240, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000654336, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000658432, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000662528, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000666624, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000670720, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000674816, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000678912, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000683008, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000687104, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000691200, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000695296, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000699392, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000703488, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000707584, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000711680, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000715776, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000719872, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000723968, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000728064, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000732160, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000736256, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000740352, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000744448, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000748544, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000752640, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000756736, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000760832, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000764928, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000769024, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000773120, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000777216, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000781312, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000785408, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000789504, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000793600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000797696, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000801792, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000805888, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000809984, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000814080, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000818176, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000822272, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000826368, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000830464, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000834560, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000838656, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000842752, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000846848, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000850944, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000855040, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000859136, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000863232, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000867328, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000871424, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000875520, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000879616, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000883712, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000887808, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000891904, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000896000, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000900096, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000904192, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000908288, size = 4096	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000912384, size = 4096	1	Fn
Process	Get Info	type = PROCESS_WOW64_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2130567168, size = 20	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 2000945664, size = 36	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087264, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7087392, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088224, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7088456, size = 80	1	Fn Data
Memory	Read	process_name = C:\Windows\SysWOW64\explorer.exe, address = 7090272, size = 80	1	Fn Data
For performance reasons, the remaining 390 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0xaf4

Category	Operation	Information	Success	Count	Logfile
File	Delete	filename = C:\Users\aETAdzjz\Desktop\sgm_20190527_desfuhohdt.exe		1	Fn

Thread 0xb00

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xb04

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowsHookExA, address_out = 0x76f68c20	1	Fn
System	Register Hook	type = WH_KEYBOARD_LL, hookproc_address = 0x94e17f4	1	Fn
System	Get Time	type = Ticks, time = 111774	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassA, address_out = 0x76f49f68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExA, address_out = 0x76f4a2e0	1	Fn
Window	Create	class_name = {353A45A5-3AC0-6F1F-A9F2-ED46C3F4A768}, wndproc_parameter = 156338352	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongPtrA, address_out = 0x76f537c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcA, address_out = 0x7717f548	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongPtrA, address_out = 0x76f4b500	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageA, address_out = 0x76f56110	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallNextHookEx, address_out = 0x76f4bae0	1	Fn

Thread 0xb08

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 111774		1	Fn
Window	Create	class_name = {7F7FA1E5-6A00-555F-E932-2D860334E7A8}, wndproc_parameter = 156338016		1	Fn

Thread 0xb0c

158

Category	Operation	Information	Count	Logfile
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 98, size_out = 98	1	Fn Data
System	Get Time	type = System Time, time = 2019-06-09 15:06:18 (UTC)	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877}	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877}\01D51ED4E3ECF92009, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877}\01D51ED4E3ECF92009, size = 98	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 92, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 166811	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, protection = PAGE_READONLY, maximum_size = 163	1	Fn
File	Write	size = 12	1	Fn Data
File	Write	size = 152	1	Fn Data
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
File	Write	size = 12	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 12	1	Fn Data
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 12	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 92, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 465850	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, protection = PAGE_READONLY, maximum_size = 163	1	Fn
File	Write	size = 12	1	Fn Data
File	Write	size = 152	1	Fn Data
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
File	Write	size = 12	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 12	1	Fn Data
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 92, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 765855	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, protection = PAGE_READONLY, maximum_size = 163	1	Fn
File	Write	size = 12	1	Fn Data
File	Write	size = 152	1	Fn Data
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
File	Write	size = 12	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 12	1	Fn Data
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 12, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 44, size_out = 44	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
File	Write	size = 12	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xb10

117

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
System	Get Time	type = System Time, time = 2019-06-09 15:06:15 (UTC)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Run	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegNotifyChangeKeyValue, address_out = 0x7fefd721820	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Mutex	Release	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = LastTask, type = REG_NONE	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 151913	2	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7fefd5f06a4	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x7feff340000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindFirstUrlCacheEntryA, address_out = 0x7feff3656f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x7fefd5c5a1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindNextUrlCacheEntryA, address_out = 0x7feff365aac	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindCloseUrlCache, address_out = 0x7feff34e600	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetCanonicalizeUrlA, address_out = 0x7feff3a0b90	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetOpenA, address_out = 0x7feff359098	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetSetStatusCallback, address_out = 0x7feff372f00	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetConnectA, address_out = 0x7feff373130	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpOpenRequestA, address_out = 0x7feff373910	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /images/ALm9doLlVIZDvXXaVPSD5NU/G9gIRqJdLN/sZhuaaCEFWzkyoqKj/9pFw3rOHHUnw/3eVqlH8JMBb/YM6sRsgoL7b6mo/uZxBYWQozhPbYbk_2FE3f/9dQnckJqipAjCt_2/Fwt0XfhOSi4n4Sv/muG4_2Bsfmf_2BX9cd/W7uCekL9q/zb_2F_2FSyLHWG9lwOh0/h12G3w93FzjEbcw/2TY.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetQueryOptionA, address_out = 0x7feff34e874	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetSetOptionA, address_out = 0x7feff34fb34	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpSendRequestA, address_out = 0x7feff3bf600	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/ALm9doLlVIZDvXXaVPSD5NU/G9gIRqJdLN/sZhuaaCEFWzkyoqKj/9pFw3rOHHUnw/3eVqlH8JMBb/YM6sRsgoL7b6mo/uZxBYWQozhPbYbk_2FE3f/9dQnckJqipAjCt_2/Fwt0XfhOSi4n4Sv/muG4_2Bsfmf_2BX9cd/W7uCekL9q/zb_2F_2FSyLHWG9lwOh0/h12G3w93FzjEbcw/2TY.gif	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetCloseHandle, address_out = 0x7feff355594	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueA, address_out = 0x7fefd71d680	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
System	Get Time	type = Ticks, time = 264655	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, protection = PAGE_READONLY, maximum_size = 163	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, process_name = c:\windows\explorer.exe, desired_access = FILE_MAP_READ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /images/VpSwnjfgapjrZm6gIom/TOD75vUMx0nMCen9Uivpm3/5C17VQzgjhR1Y/2RyNWwMc/ubmDPmuEaZgasPIJUIBnukQ/RVFbBOvH6_/2F6abm7B8P2xoLmrb/eNtEQ_2F6FwB/1WdZQWiwsL_/2Bq9YG_2B3mLRZ/t1ISj0P_2Fyy_2FjWUqVh/ijGkia_2BTF3Kwp4/JMZvkFn9bDPuy3c/TnKkY4EZrL7eqh_2FM/_2Fp4Om_2F/KEfjK.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
System	Get Time	type = Ticks, time = 264733	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x7feff358070	1	Fn
Inet	Add HTTP Request Headers	headers = Content-Type: multipart/form-data; boundary=--------------------------116b29d116b29d116b29d	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/VpSwnjfgapjrZm6gIom/TOD75vUMx0nMCen9Uivpm3/5C17VQzgjhR1Y/2RyNWwMc/ubmDPmuEaZgasPIJUIBnukQ/RVFbBOvH6_/2F6abm7B8P2xoLmrb/eNtEQ_2F6FwB/1WdZQWiwsL_/2Bq9YG_2B3mLRZ/t1ISj0P_2Fyy_2FjWUqVh/ijGkia_2BTF3Kwp4/JMZvkFn9bDPuy3c/TnKkY4EZrL7eqh_2FM/_2Fp4Om_2F/KEfjK.bmp	1	Fn Data
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 44, type = REG_BINARY	1	Fn Data
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:08:30 (UTC)	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Exec, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Exec, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	4	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xb50

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameW, address_out = 0x7fefd5d3920	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrW, address_out = 0x7fefd5cfa50	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, os_pid = 0xb54, creation_flags = CREATE_SUSPENDED, CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, STARTF_TITLEISLINKNAME, show_window = SW_SHOWNORMAL	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 2130571264, size = 616	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14024704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14024952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0xd61c9a, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 166451424	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9ec0000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x470000	1	Fn
Memory	Allocate	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 166449984, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 166449992	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x140000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xb50	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0xd61c9a, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READ, size = 4	1	Fn

Thread 0xb60

Category	Operation	Information	Count	Logfile
Process	Create	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, os_pid = 0xb64, creation_flags = CREATE_SUSPENDED, CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, STARTF_TITLEISLINKNAME, show_window = SW_SHOWNORMAL	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 4294832128, size = 616	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17956864, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17957104, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17966200, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17966200, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 0x1122478, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17966200, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 166125040	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9e70000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x810000	1	Fn
Memory	Allocate	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 166123600, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 166123608	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 0xe0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xb60	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17966200, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 0x1122478, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, address = 17966200, protection = PAGE_EXECUTE_READ, size = 4	1	Fn

Thread 0xb6c

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimW, address_out = 0x7fefd5cb090	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, os_pid = 0xb70, creation_flags = CREATE_SUSPENDED, CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, STARTF_TITLEISLINKNAME, show_window = SW_SHOWNORMAL	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 8796092878848, size = 616	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358159256, size = 40	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358041600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 111073760	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9d80000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1d50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 111072320, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 111072328	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0xe0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xb6c	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn

Thread 0x878

7471

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x7fefea52a30	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager, value_name = Outlook, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager, value_name = Outlook, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	63	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	24	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	value_name = SMTP Email Address	1	Fn
Registry	Read Value	value_name = SMTP Server	1	Fn
Registry	Read Value	value_name = POP3 Server	1	Fn
Registry	Read Value	value_name = POP3 User Name	1	Fn
Registry	Read Value	value_name = SMTP User Name	1	Fn
Registry	Read Value	value_name = NNTP Email Address	1	Fn
Registry	Read Value	value_name = NNTP User Name	1	Fn
Registry	Read Value	value_name = NNTP Server	1	Fn
Registry	Read Value	value_name = IMAP Server	1	Fn
Registry	Read Value	value_name = IMAP User Name	1	Fn
Registry	Read Value	value_name = Email	1	Fn
Registry	Read Value	value_name = HTTP User	1	Fn
Registry	Read Value	value_name = HTTP Server URL	1	Fn
Registry	Read Value	value_name = POP3 User	1	Fn
Registry	Read Value	value_name = IMAP User	1	Fn
Registry	Read Value	value_name = HTTPMail User Name	1	Fn
Registry	Read Value	value_name = HTTPMail Server	1	Fn
Registry	Read Value	value_name = SMTP User	1	Fn
Registry	Read Value	value_name = POP3 Password2	1	Fn
Registry	Read Value	value_name = IMAP Password2	1	Fn
Registry	Read Value	value_name = NNTP Password2	1	Fn
Registry	Read Value	value_name = HTTPMail Password2	1	Fn
Registry	Read Value	value_name = SMTP Password2	1	Fn
Registry	Read Value	value_name = POP3 Password	1	Fn
Registry	Read Value	value_name = IMAP Password	1	Fn
Registry	Read Value	value_name = NNTP Password	1	Fn
Registry	Read Value	value_name = HTTP Password	1	Fn
Registry	Read Value	value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Email Address	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Server	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 Server	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 User Name	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP User Name	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = NNTP Email Address	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = NNTP User Name	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = NNTP Server	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP Server	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP User Name	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = Email	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTP User	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTP Server URL	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 User	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP User	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTPMail User Name	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTPMail Server	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP User	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 Password2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP Password2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = NNTP Password2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTPMail Password2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Password2	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 Password	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP Password	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = NNTP Password	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = HTTP Password	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTPMail Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Password2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = NNTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = HTTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Password	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6, value_name = IMAP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = SMTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = SMTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = POP3 Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = POP3 User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = SMTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = NNTP Email Address	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = NNTP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = NNTP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = IMAP Server	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = IMAP User Name	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = Email	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = HTTP User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = HTTP Server URL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c, value_name = POP3 User	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
For performance reasons, the remaining 1419 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0x6a4

Category	Operation	Information	Count	Logfile
Module	Load	module_name = SHELL32.dll, base_address = 0x7fefdb70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetFolderPathW, address_out = 0x7fefdbf3ba4	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathCombineW, address_out = 0x7fefd5d3dfc	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathMatchSpecW, address_out = 0x7fefd5d1b64	1	Fn
File	Create	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 4, size_out = 4	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 1, size_out = 1	2	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 8, size_out = 8	5	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 512, size_out = 512	15	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 3156, size_out = 3156	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 448, size_out = 448	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 140, size_out = 140	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 504, size_out = 504	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 112, size_out = 112	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 128, size_out = 128	2	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 120, size_out = 120	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 118, size_out = 118	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 120, size_out = 120	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 108, size_out = 108	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 110, size_out = 110	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 148, size_out = 148	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 180, size_out = 180	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\Documents\Outlook Files\sdjwh@dive.djh.pst, size = 162, size_out = 162	1	Fn Data

Thread 0x740

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 151898	1	Fn
File	Create Temp File	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.tmp, path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathFindExtensionA, address_out = 0x7fefd5eb358	1	Fn
Process	Create	process_name = cmd, os_pid = 0x86c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x250, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x248, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x7dc, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x610, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x8e8, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x87c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x888, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0xa54, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x41c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x810, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x900, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x848, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x904, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd, os_pid = 0x580, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, size = 161444, size_out = 161444	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, size = 80722	1	Fn Data
System	Get Time	type = System Time, time = 2019-06-09 15:07:07 (UTC)	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 203908	1	Fn
File	Create Temp File	filename = C:\Users\aETAdzjz\AppData\Local\Temp\E3D6.tmp, path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 203908	1	Fn
File	Create Temp File	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.tmp, path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 80	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 30	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, type = file_attributes	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 49	1	Fn Data
Process	Create	process_name = makecab.exe, os_pid = 0x850, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Temp\setup.inf	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Temp\setup.rpt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\E3D6.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\E3D6.bin, type = size	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi, value_name = 764028EAB3C0274F06, size = 92, type = REG_BINARY	1	Fn Data
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin	1	Fn

Thread 0x91c

2077

Category	Operation	Information	Count	Logfile
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019060920190610\index.dat	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019060920190610	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MM5O9XQS\desktop.ini	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MM5O9XQS	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMMR5K9K\desktop.ini	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMMR5K9K	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C\desktop.ini	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RIJUQL1C	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9OHK109\desktop.ini	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9OHK109	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\VisioLogFiles	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\000000929118[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\11-b6a7e6-91cdfbc1[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\1[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\2532[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\3_3_ino_smarthome_performance_728x90-default[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\6144;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE12;kvgrp=243782100;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=0;grp=243782100[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\6144;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1C;kvgrp=243782100;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=0;grp=243782100[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1D;kvgrp=243794042;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=0;grp=243794042[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\7962161087[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA3e1pt[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA3e3XC[2].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA3vOVA[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA61yi9[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA6JPT3[2].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AA8Tave[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AAag599[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AAmo09p[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\AAmUyV2[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\Adform.WriteHelper[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\adfscript[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\adfserve[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\adServer[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\async_usersync[2].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BB74fLs[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBB9wH0[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBBL4R9[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDA2Z8[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDAtwP[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDEBhY[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDENHn[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDFSY9[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDiDYy[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDKivI[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDKPiR[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDKWr8[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLE8A[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLfeZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLGpz[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLnD2[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLNHE[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLoXM[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLpCk[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLPMU[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLufg[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLv5i[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLwpx[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDLxXg[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDM5IR[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDM8Mj[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMcxK[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMgVZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMhpZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMjYw[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMkEn[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDMlhy[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDsiQ2[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDsyaT[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBDuJ15[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBjBl9m[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBoqF0J[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBqPKnQ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\BBw2j7b[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\bootstrap[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\box_19_top-right[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\bs-util[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\clientconfig[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\COMMON[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\ContainerTag[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\ContainerTag[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\ContainerTag[3].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\css[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\cs[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\DE-300x250-text03[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\fe-5c8f1f-f30905ea[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\googbase_min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\google_de[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\gwdimage_min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\gwdimage_style[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\js[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\latest[1].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\match[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\meversion[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\microsoft-gray[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\MSNIdSync[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\msn[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\ms[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\pixel[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\surly[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\URRYV-HX35J-LK4WZ-4TRKG-NBMKC[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[4]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[5]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[6]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[7]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[8]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT\v2[9]	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1WL4SQRT	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\000000983398[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\11-b6a7e6-91cdfbc1[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\11-b6a7e6-91cdfbc1[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\14efd5f5[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\19328921[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\3_3_ino_smarthome_performance_728x90-default[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE11;kvgrp=243920512;kvismob=2;extmirroring=0;kvtile=2;target=_blank;aduho=0;grp=243920512[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE12;kvgrp=243913430;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=0;grp=243913430[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE12;kvgrp=243920512;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=0;grp=243920512[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1B;kvgrp=243913430;kvismob=2;extmirroring=0;kvtile=3;target=_blank;aduho=0;grp=243913430[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1B;kvgrp=243920512;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=0;grp=243920512[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1C;kvgrp=243913430;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=0;grp=243913430[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1C;kvgrp=243920512;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=0;grp=243920512[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1D;kvgrp=243913430;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=0;grp=243913430[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1D;kvgrp=243920512;kvismob=2;extmirroring=0;kvtile=6;target=_blank;aduho=0;grp=243920512[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AA3e6zI[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AA42ckd[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AA7zvAd[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAfGQmV[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAicW5W[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAkhMz9[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAkqhIf[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAm2UN1[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\AAmin0Z[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adex[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\Adform.DHTML[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfscript[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfscript[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfserve[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfserve[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfserve[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adfserve[4]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\adServer[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\advertisement.ad[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\async_usersync[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\async_usersync[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\async_usersync[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\ba[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BB1CcOi[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BB1kvzy[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BB6Ma4a[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDDVe8[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDEk7R[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDEmYI[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDEop9[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDEsv0[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDGDEz[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDJGUg[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDJJsJ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDJurV[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDJZdv[2].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDK0KJ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDK3QY[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDKcnv[2].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDKjtL[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDKo2P[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDKSfI[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDKUWf[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLjFT[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLjFT[2].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLLBR[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLM5y[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLmEf[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLPMU[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLqdv[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLsaK[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLsFR[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLuBc[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLW8b[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDLXKp[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDntNC[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDrJ2v[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDstfh[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDtRBe[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBDw280[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBghfVy[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\BBs47TE[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\ci[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\COMMON[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\ContainerTag[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\controller[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\dbm_mediaiqdigital_com[2].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\ebHtml5Banner[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\googlelogo_white_background_color_272x92dp[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\gwdpagedeck_min[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\jquery[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\js[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\js[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\latest[1].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\latest[2].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\latest[3].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\log[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\match[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\match[2].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\match[3].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\match[4].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\match[5].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\profile[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I\uhf-west-european-default.min[1].css	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5JW0IE7I	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\11-b6a7e6-91cdfbc1[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\14efd5f5[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\14efd5f5[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\19398275[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\4[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\6144;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1B;kvgrp=243782100;kvismob=2;extmirroring=0;kvtile=3;target=_blank;aduho=0;grp=243782100[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\6144;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1D;kvgrp=243782100;kvismob=2;extmirroring=0;kvtile=5;target=_blank;aduho=0;grp=243782100[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\AA42x3V[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\AA61AKN[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\AA61ILp[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\AAcN2Ks[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\AAmRY2Q[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\adfscript[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\adfscript[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\adfscript[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\adServer[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\adServer[2].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ast[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ast[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\async_usersync[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\async_usersync[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\async_usersync[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\async_usersync[4]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ba[2].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BB5zDwX[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBaK3Nm[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBB8ZbM[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBBseMP[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDDRiy[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDEuKV[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDFpHx[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDFSY9[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDIAFH[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDJEON[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDJIs4[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDJV7W[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDK0KJ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDK2sB[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDK3QY[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDKWr8[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLHiT[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLl58[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLLQz[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLlX3[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLq44[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLt9V[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDLxXg[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDM6AR[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDM8ks[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDM8Mj[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMcxK[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMcZB[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMdsm[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMp3M[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMpdZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDMptJ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDr3Zu[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDvCmH[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDvM89[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBDvxii[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBmUxRK[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\BBo1lFJ[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\bootstrap[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\bs-components[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\chartbeat[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\collect[2].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\config[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ContainerTag[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ContainerTag[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\DevCMDL2.2.18[1].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\e151e5[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\fallback_728x90[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\fe-5c8f1f-f30905ea[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\gwdpage_min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\gwdpage_style[2].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\ie8[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\jslibraries[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\js[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\js[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\js[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\js[4]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\log[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\MemMDL2.2.17[1].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\nav_logo229[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\pixels[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\print[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\REZlo1[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\Standard[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\Standard[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\thirdparty[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\trpx[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\uid[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\u[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\v2[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\v2[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\v2[3]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\wc-addons[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D\WebCore.4.19.0.ltr.light.min[1].css	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G003HD4D	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\2082701[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\2082701[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\2532[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE12;kvgrp=243794042;kvismob=2;extmirroring=0;kvtile=1;target=_blank;aduho=0;grp=243794042[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1B;kvgrp=243794042;kvismob=2;extmirroring=0;kvtile=3;target=_blank;aduho=0;grp=243794042[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\6858;kvmsft_pagetype=homepage;kvpg=msn%2Fde-de;kvugc=0;kvmn=MSNDEDE1C;kvgrp=243794042;kvismob=2;extmirroring=0;kvtile=4;target=_blank;aduho=0;grp=243794042[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AA3e1oO[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AA429NP[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AA42pjY[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AA7XCQ3[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AA8uCo4[2].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AAbyinC[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AAdAVrM[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\AAfOIDq[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adfscript[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adfserve[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adfserve[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adition[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adServer[1].htm	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\adsWrapperMSNI[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\angular-locale_en-us[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\application[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\ast[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\async_usersync[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\async_usersync[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\b2fd15[2].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BB46JmN[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BB56XTo[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BB8AdqN[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBALZyp[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBBLj61[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDAUkm[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDE29T[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDFK8W[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDFLTH[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDFqfK[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDFQm5[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDJGZ2[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDJIsX[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDJKj6[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDJTA8[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDJYPA[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDK03h[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDK305[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDk44m[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDK6DE[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDKehx[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDKsWM[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDKvdW[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLCZd[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLfeZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLl8d[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLLQz[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLmdu[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLmEf[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLNHE[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLPMU[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLq44[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLS6q[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLv5i[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDLXKp[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDM2NJ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDM8gk[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDM8ks[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDMgVZ[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDMopy[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDMp3M[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBDMwuY[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBg3ODX[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BBkkhJa[1].png	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\BByazif[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\bootstrap[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\bootstrap[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\bounce[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\bs-jsdep[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\collect[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\ContainerTag[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\ContainerTag[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\ContainerTag[3].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\core[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\fallback_300x250[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\fallback_728x90[1].jpg	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\fe-5c8f1f-f30905ea[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\fe-5c8f1f-f30905ea[2]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\getid[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\gwdgenericad_min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\gwdpagedeck_style[1].css	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\gwd_webcomponents_min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\jquery-1.11.1.min[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\latest[1].eot	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\log[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\match[1].gif	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\rs=ACT90oE8yoYdKkJDdxTdshvHJC7zAFXNdg[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\sbt-f6817f3a26c6[2].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\sem_ce1f66a3042d4bd6a3ccb0050c26ae01[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\Standard[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\thirdparty[1]	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\uhf-main.var.min[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\Utils_v9-long[1].js	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3\v2[1]	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEVK8ZW3	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\PrivacIE	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData\Roaming\Microsoft	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData\Roaming	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz\AppData	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\aETAdzjz	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ff	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ff\	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ff\\3y2joh8o.default	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ff\\3y2joh8o.default\cookies.sqlite	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com\support	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com\support\flashplayer	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com\support\flashplayer\sys	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\sols\macromedia.com\support\flashplayer\sys\settings.sol	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@g.live[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@g.live[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@g.live[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@google[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@google[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@google[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@live[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\aetadzjz@live[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@live[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad.360yield[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ad.360yield[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad.360yield[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad13.adfarm1.adition[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ad13.adfarm1.adition[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad13.adfarm1.adition[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@addthis[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@addthis[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@addthis[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adfarm1.adition[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adfarm1.adition[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adfarm1.adition[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adformdsp[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adformdsp[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adformdsp[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adform[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adform[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adform[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adnxs[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adnxs[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adnxs[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adscale[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adscale[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adscale[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adserving.ancoraplatform[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adserving.ancoraplatform[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adserving.ancoraplatform[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adsrvr[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adsrvr[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adsrvr[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adtech[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@adtech[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adtech[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@advertising[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@advertising[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@advertising[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@angsrvr[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@angsrvr[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@angsrvr[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@api.bing[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@api.bing[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@api.bing[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@at.atwola[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@at.atwola[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@at.atwola[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bidswitch[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bidswitch[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bidswitch[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bing[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bing[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bing[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bluekai[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bluekai[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bluekai[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bs.serving-sys[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[3].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@bs.serving-sys[3].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[3].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.bing[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c.bing[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.bing[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.msn[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c.msn[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.msn[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c1.microsoft[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@c1.microsoft[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c1.microsoft[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@casalemedia[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@casalemedia[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@casalemedia[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@connextra[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@connextra[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@connextra[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@crwdcntrl[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@crwdcntrl[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@crwdcntrl[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@demdex[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@demdex[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@demdex[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@doubleclick[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@doubleclick[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@doubleclick[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@dpm.demdex[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@dpm.demdex[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@dpm.demdex[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@exelator[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@exelator[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@exelator[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@eyeota[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@eyeota[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@eyeota[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@google[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@google[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@google[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ibeu2.mookie1[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ibeu2.mookie1[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ibeu2.mookie1[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ih.adscale[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@ih.adscale[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ih.adscale[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@linkedin[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@linkedin[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@linkedin[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@m.exactag[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@m.exactag[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@m.exactag[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@mathtag[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@mathtag[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@mathtag[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@microsoft[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@microsoft[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@microsoft[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@msn[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@msn[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@msn[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@openx[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@openx[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@openx[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pixel.rubiconproject[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@pixel.rubiconproject[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pixel.rubiconproject[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pubmatic[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@pubmatic[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pubmatic[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@rubiconproject[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@rubiconproject[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@rubiconproject[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@scorecardresearch[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@scorecardresearch[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@scorecardresearch[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@semasio[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@semasio[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@semasio[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@server.adformdsp[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@server.adformdsp[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@server.adformdsp[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving-sys[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@serving-sys[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving-sys[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving.experianmarketingservices[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@serving.experianmarketingservices[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving.experianmarketingservices[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@smartadserver[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@smartadserver[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@smartadserver[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@tapad[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@tapad[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@tapad[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@track.adform[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@track.adform[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@track.adform[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@turn[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@turn[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@turn[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@w55c[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@w55c[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@w55c[2].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.bing[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.bing[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.bing[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.linkedin[1].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.linkedin[1].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.linkedin[1].txt	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.msn[2].txt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{B423FFBF-837B-066B-AD28-679A31DC8B6E}\cookie.ie\Low\aetadzjz@www.msn[2].txt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.msn[2].txt	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
Process	Terminate	exit_code = 0	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\storage\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\cache2\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\98\B60F3d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\98	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\A8\C3B7Bd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\A8	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\CB\44E8Cd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\CB	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\E1\EBFA5d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\E1	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\F4\9ADE8d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0\F4	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\0	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\03\3E20Ad01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\03	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\E4\3C9ECd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\E4	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\F6\CBD4Dd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1\F6	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\1	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\2\48\7555Ad01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\2\48	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\2\59\DD6B0d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\2\59	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\2	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\3\DA\2555Ed01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\3\DA	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\3	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\4\EE\95599d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\4\EE	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\4	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\1B\2561Dd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\1B	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\9A\28159d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\9A	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\F1\C8C27d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5\F1	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\5	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\6	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\7\26\90EEBd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\7\26	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\7\60\85957d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\7\60	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\7	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\8\AE\93407d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\8\AE	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\8	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\00\7AABCd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\00	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\10\16A09d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\10	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\2C\24B53d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\2C	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\49\38779d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\49	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\8D\2B984d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\8D	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\E0\F17B2d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\E0	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\FD\57344d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9\FD	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\9	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\A\AE\CF1AEd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\A\AE	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\A\CE\65483d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\A\CE	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\A	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\35\D456Ed01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\35	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\3E\50FD5d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\3E	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\64\37ABBd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\64	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\89\10CF4d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\89	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\E5\9A8D1d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B\E5	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\B	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\C\1F\7ADBDd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\C\1F	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\C\55\BF060d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\C\55	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\C	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\07\1F307d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\07	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\08\71469d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\08	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\15\BF22Ad01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\15	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\FE\A0C36d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D\FE	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\D	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\17\D467Fd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\17	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\45\C6466d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\45	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\57\C6B34d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\57	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\69\885EEd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E\69	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\E	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\F\23\7E0FEd01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\F\23	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\F\94\C3F14d01	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\F\94	1	Fn
File	Delete Directory	directory = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\F	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\_CACHE_001_	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\_CACHE_002_	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\_CACHE_003_	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\Cache\_CACHE_MAP_	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\, type = file_attributes	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
Process	Terminate	exit_code = 0	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
Process	Terminate	exit_code = 0	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
Process	Terminate	exit_code = 0	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Open	desired_access = PROCESS_TERMINATE	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cache\index	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies	1	Fn

Thread 0x970

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = 92, address_out = 0x7fefddb33dc	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathIsDirectoryEmptyA, address_out = 0x7fefd5e8ca0	1	Fn
System	Get Time	type = Ticks, time = 155907	1	Fn
File	Create Temp File	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.tmp, path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 155907	1	Fn
File	Create Temp File	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.tmp, path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 80	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 30	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrW, address_out = 0x7fefd5cb85c	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1\01D51ED4E3ECF92009, type = file_attributes	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 24	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 22	1	Fn Data
Process	Create	process_name = makecab.exe, os_pid = 0xa04, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1\setup.inf	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1\setup.rpt	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, type = size	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateGuid, address_out = 0x7fefea3d9d0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi, value_name = AECAA210A7EA5C4A0F, size = 92, type = REG_BINARY	1	Fn Data
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877}\01D51ED4E3ECF92009	1	Fn

Thread 0xbe0

Category	Operation	Information	Success	Count	Logfile
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes		1	Fn

Thread 0xae8

Category	Operation	Information	Success	Count	Logfile
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes		1	Fn

Thread 0xa40

Category	Operation	Information	Success	Count	Logfile
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1, type = file_attributes		1	Fn

Process #4: explorer.exe

498

Information	Value
ID	#4
File Name	c:\windows\syswow64\explorer.exe
Command Line	C:\Windows\SysWOW64\explorer.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:43, Reason: Child Process
Unmonitor	End Time: 00:00:47, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0xaf8
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AFC 0x B14

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
explorer.exe	0x003F0000	0x00670FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
explorer.exe	0x003F0000	0x00670FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
buffer	0x001F0000	0x001F0FFF	First Execution	-	32-bit	0x001F0218	... Region Actions Download Dump
buffer	0x002C1000	0x002ED58F	Marked Executable	-	32-bit	-	... Region Actions Download Dump
buffer	0x002C1000	0x002ED58F	Content Changed	-	32-bit	0x002D5000, 0x002E205D, ...	... Region Actions Download Dump

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#3: c:\windows\explorer.exe	0xaf0	address = 0x420efa, size = 4	2	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xaf0	address = 0x2c0000, size = 1212416	1	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xaf0	address = 0x1f0000, size = 792	1	Fn Data
Modify Control Flow	#3: c:\windows\explorer.exe	0xaf0	os_tid = 0xafc, address = 0x0	1	Fn

Threads

Thread 0xafc

498

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlGetVersion, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _aulldiv, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _allmul, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _aullshr, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _allshl, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = _chkstk, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = NtQueryVirtualMemory, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = InterlockedIncrement, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = InterlockedDecrement, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = InterlockedExchange, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetPrivateProfileSectionNamesW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetPrivateProfileStringW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetPrivateProfileIntW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x2bfdac	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x2bfdac	1	Fn
System	Get Time	type = Ticks, time = 111993	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\explorer.exe, base_address = 0x3f0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x769f195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7522ca94	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76d00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76d0ccf5	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76c191b4	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x76c1ffe6	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x76c2ae5f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76c191b4	1	Fn
Window	Find	class_name = ProgMan	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn

Process #5: iexplore.exe

1144

Information	Value
ID	#5
File Name	c:\program files (x86)\internet explorer\iexplore.exe
Command Line	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Initial Working Directory	C:\Users\aETAdzjz\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:15:20, Reason: Terminated by Timeout
Monitor Duration	00:14:16

OS Process Information

Information	Value
PID	0xb54
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B58 0x B5C 0x B9C 0x BA0 0x BB4 0x BB8 0x BBC 0x BC0 0x BC4 0x BC8 0x BCC 0x BD0 0x BDC 0x BE0 0x BE4 0x BF0 0x 90 0x 24C 0x 80C 0x 9A0 0x B88 0x 118 0x 30C 0x A88 0x 520 0x B20 0x 884 0x 96C 0x A6C

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
iexplore.exe	0x00D60000	0x00E05FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
iexplore.exe	0x00D60000	0x00E05FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
buffer	0x00471000	0x0049D58F	Marked Executable	-	32-bit	-	... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000000470000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x6026	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x6025	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	kernel32.dll:$$VProc_ImageExportDirectory+0x2cc	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x602b	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x602a	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	kernel32.dll:$$VProc_ImageExportDirectory+0x2bc	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x6030	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x602f	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	advapi32.dll:__sz_pcwum_dll+0x4461	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	advapi32.dll:__sz_pcwum_dll+0x4460	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	advapi32.dll:$$VProc_ImageExportDirectory+0x21c	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d6b	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d6a	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2a90	12 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d70	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d6f	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2b10	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d75	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d74	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d7a	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d79	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d7f	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d7e	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2980	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d84	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d83	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x298c	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d89	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d88	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2a80	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d8e	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d8d	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2974	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d93	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d92	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x2970	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d98	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d97	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000470000:+0x1f6be	wininet.dll:+0x29c0	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x0000000000470000:+0x1f42a	32. entry of iexplore.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	143. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	142. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000000470000:+0x2ba4e	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	259. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	248. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	246. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000470000:+0x2bb7d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	310. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	122. entry of iertutil.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	157. entry of iertutil.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000470000:+0x2bb7d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	500. entry of urlmon.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000000470000:+0x2ba4e	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	85. entry of urlmon.dll	4 bytes	wininet.dll:InternetReadFile+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d6a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	96. entry of urlmon.dll	4 bytes	wininet.dll:InternetWriteFile+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d6f	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	89. entry of urlmon.dll	4 bytes	wininet.dll:InternetReadFileExW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d79	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	97. entry of urlmon.dll	4 bytes	wininet.dll:HttpSendRequestW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d83	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	86. entry of urlmon.dll	4 bytes	wininet.dll:InternetQueryDataAvailable+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d88	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	92. entry of urlmon.dll	4 bytes	wininet.dll:HttpOpenRequestW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d8d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	116. entry of urlmon.dll	4 bytes	wininet.dll:InternetCloseHandle+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d97	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	141. entry of wininet.dll	4 bytes	advapi32.dll:CreateProcessAsUserA+0x0 now points to pagefile_0x0000000000470000:+0x2badb	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000000470000:+0x1f42a	91. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000470000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#3: c:\windows\explorer.exe	0xb50	address = 0xd61c9a, size = 4	2	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb50	address = 0x470000, size = 1212416	1	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb50	address = 0x140000, size = 792	1	Fn Data
Modify Control Flow	#3: c:\windows\explorer.exe	0xb50	os_tid = 0xb58, address = 0x0	1	Fn

Threads

Thread 0xb58

960

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlGetVersion, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _aulldiv, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _allmul, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _aullshr, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _allshl, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = _chkstk, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = NtQueryVirtualMemory, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = InterlockedIncrement, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = InterlockedDecrement, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = InterlockedExchange, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetPrivateProfileSectionNamesW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetPrivateProfileStringW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetPrivateProfileIntW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x26fddc	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x26fddc	1	Fn
System	Get Time	type = Ticks, time = 130151	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\internet explorer\iexplore.exe, base_address = 0xd60000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x769f195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7522ca94	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76d00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76d0ccf5	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x76c2ae5f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76c191b4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x76c1ffe6	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {7A3DADF8-91AE-BC96-EB4E-55B04F6259E4}	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x75450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	-	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetThreadDesktop, address_out = 0x76c16c63	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationA, address_out = 0x76c3d396	2	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CloseDesktop, address_out = 0x76c200fa	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75220000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75220000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77310000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x77311408	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x76d146e9	10	Fn
Module	Load	module_name = WININET.DLL, base_address = 0x768e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75234907	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall	1	Fn
Module	Load	module_name = ieframe, base_address = 0x73c80000	1	Fn
Module	Load	module_name = ieui, base_address = 0x74950000	1	Fn
Module	Load	module_name = mshtml, base_address = 0x73500000	1	Fn
Module	Load	module_name = inetcpl.cpl, base_address = 0x73270000	1	Fn
Module	Load	module_name = ieapfltr, base_address = 0x72a20000	1	Fn
Module	Load	module_name = urlmon, base_address = 0x756b0000	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x768e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetWriteFile, address_out = 0x769146da	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetCanonicalizeUrlA, address_out = 0x7695a787	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindFirstUrlCacheEntryA, address_out = 0x7690d8ca	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpEndRequestA, address_out = 0x769145ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x7690ba12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x768f1b56	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFileExW, address_out = 0x7692ae0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindCloseUrlCache, address_out = 0x76928409	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenA, address_out = 0x7690f18e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x769049e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x768f75e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestA, address_out = 0x76904c7d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x769718f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x768fb406	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetSetStatusCallback, address_out = 0x7690933e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x768fdcd2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x768fab49	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionW, address_out = 0x768f7ed7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x76904a42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x768fa33e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetGetCookieA, address_out = 0x76972c90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFileExA, address_out = 0x7692ae46	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindNextUrlCacheEntryA, address_out = 0x7690da09	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = DeleteUrlCacheEntry, address_out = 0x769259e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryDataAvailable, address_out = 0x76905e5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestExA, address_out = 0x76971812	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	59	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x7522cc15	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7523469d	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x7522cd01	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, os_pid = 0x130, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 2130567168, size = 488	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14024704, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14024952, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0xd61c9a, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x769f43ef	1	Fn
Thread	Resume	os_tid = 0x7d8	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x76a17d7e	1	Fn
Thread	Suspend	process_name = c:\program files (x86)\internet explorer\iexplore.exe, os_tid = 0x7d8	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\internet explorer\iexplore.exe, os_tid = 0x7d8	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2543216	1	Fn
Module	Map	process_name = c:\program files (x86)\internet explorer\iexplore.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x5860000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3f0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Filename	module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SysWOW64\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SysWOW64\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SysWOW64\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SysWOW64\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SysWOW64\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SysWOW64\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 2542460, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 2542456	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\internet explorer\iexplore.exe, os_tid = 0x7d8	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x250000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\program files (x86)\internet explorer\iexplore.exe, os_tid = 0x7d8	1	Fn
Module	Unmap	process_name = c:\program files (x86)\internet explorer\iexplore.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0xd61c9a, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 14032026, protection = PAGE_EXECUTE_READ, size = 4	1	Fn

Thread 0xb9c

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xba0

149

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameA, address_out = 0x76d100aa	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = {46DA6D74-EDEC-6869-A7DA-711CCBAE3510}, type = REG_NONE	1	Fn
System	Get Time	type = System Time, time = 2019-06-09 15:06:15 (UTC)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x752314b3	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = {46DA6D74-EDEC-6869-A7DA-711CCBAE3510}, size = 8, type = REG_BINARY	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegNotifyChangeKeyValue, address_out = 0x7522e15b	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Mutex	Release	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumValueA, address_out = 0x7522cf49	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 92	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 152, size_out = 152	1	Fn Data
File	Open Mapping	filename = Local\{BE5AE8D3-0543-A058-7FD2-09D423264D48}, desired_access = FILE_MAP_RESERVE	1	Fn
Module	Map	Local\{BE5AE8D3-0543-A058-7FD2-09D423264D48}, process_name = c:\program files (x86)\internet explorer\iexplore.exe, desired_access = FILE_MAP_READ	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimA, address_out = 0x76d3e63c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x76d0c5e6	2	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /images/t_2Bbwrq/4hGdgyKXBVaYI8sycTeG_2F/7fwTKT5wKm/53_2FI_2F_2BUpoKX/1JUdFqL3BccG/ALIEe9yHqZs/CuBwVyvngvfzHK/j01D3Nd_2BsoELZZgRztf/Hjzmf0XYORqncRr5/nrUwyG5XfT7xNoF/3WbskiH5Xge7m5sju_/2Bh3mTulO/O9vqdGGP1An2dNtNLrrJ/ww899q9EO0SD2Cw6wV5/GuLKDA_2FAdE/viwXv.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
System	Get Time	type = Ticks, time = 166843	1	Fn
Inet	Add HTTP Request Headers	headers = Content-Type: multipart/form-data; boundary=--------------------------115343b115343b115343b	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/t_2Bbwrq/4hGdgyKXBVaYI8sycTeG_2F/7fwTKT5wKm/53_2FI_2F_2BUpoKX/1JUdFqL3BccG/ALIEe9yHqZs/CuBwVyvngvfzHK/j01D3Nd_2BsoELZZgRztf/Hjzmf0XYORqncRr5/nrUwyG5XfT7xNoF/3WbskiH5Xge7m5sju_/2Bh3mTulO/O9vqdGGP1An2dNtNLrrJ/ww899q9EO0SD2Cw6wV5/GuLKDA_2FAdE/viwXv.bmp	1	Fn Data
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Module	Unmap	process_name = c:\program files (x86)\internet explorer\iexplore.exe	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	2	Fn
Mutex	Release	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 92	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 152, size_out = 152	1	Fn Data
File	Open Mapping	filename = Local\{510697B8-7C8B-AB70-0E15-700F2219A4B3}, desired_access = FILE_MAP_RESERVE	1	Fn
Module	Map	Local\{510697B8-7C8B-AB70-0E15-700F2219A4B3}, process_name = c:\program files (x86)\internet explorer\iexplore.exe, desired_access = FILE_MAP_READ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /images/FDqtJFjzhKMo0poCP1/rWlB9yzfz/C9MLfXrVtkvtM1KRACfp/_2FREOHnbbVAGiNGrYJ/FL1rfJ1myGWyIUQThK7qOx/BwesbP_2BnsoP/E0QHPxve/Jo5rlhISU6nZqdz2b8pbMfF/6UvM9pL3MJ/rThvhPESwU6pxyqgR/W1yfVNsWUiWF/Mq681DDK240/f0q9y_2Bdsib48/pFWZGi9Jrpw14ly3VGBeS/DIu.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
System	Get Time	type = Ticks, time = 465865	1	Fn
Inet	Add HTTP Request Headers	headers = Content-Type: multipart/form-data; boundary=--------------------------119c449119c449119c449	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/FDqtJFjzhKMo0poCP1/rWlB9yzfz/C9MLfXrVtkvtM1KRACfp/_2FREOHnbbVAGiNGrYJ/FL1rfJ1myGWyIUQThK7qOx/BwesbP_2BnsoP/E0QHPxve/Jo5rlhISU6nZqdz2b8pbMfF/6UvM9pL3MJ/rThvhPESwU6pxyqgR/W1yfVNsWUiWF/Mq681DDK240/f0q9y_2Bdsib48/pFWZGi9Jrpw14ly3VGBeS/DIu.bmp	1	Fn Data
System	Sleep	duration = 120000 milliseconds (120.000 seconds)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Module	Unmap	process_name = c:\program files (x86)\internet explorer\iexplore.exe	1	Fn
System	Sleep	duration = -1 (infinite)	2	Fn
Mutex	Release	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
Registry	Enumerate Values	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Sfi	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 92	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 152, size_out = 152	1	Fn Data
File	Open Mapping	filename = Local\{F2C61CFD-A979-F476-C346-ED68A7DA711C}, desired_access = FILE_MAP_RESERVE	1	Fn
Module	Map	Local\{F2C61CFD-A979-F476-C346-ED68A7DA711C}, process_name = c:\program files (x86)\internet explorer\iexplore.exe, desired_access = FILE_MAP_READ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /images/micpyTcOEehAuAs7/_2F_2FaOLGeSfBg/SpqBP8BgrEPPu7fRQk/ZeJOITtHs/YWEqWFBZeXLDHvssfO9r/i_2FIb5Uzc70BiTAWZ9/pW3MoyQFCUx52IDsZSb5d1/NEH549uzpN_2B/_2FSVPr4/NvChszaTrwqyOg_2BEy5Xdb/D687vZ8oiI/0NSSiOjDkO10iDprd/Qviosj1zecPb/eHRsDzQsJxM/44j8owHTlQn/rF.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
System	Get Time	type = Ticks, time = 765871	1	Fn
Inet	Add HTTP Request Headers	headers = Content-Type: multipart/form-data; boundary=--------------------------11e582f11e582f11e582f	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/micpyTcOEehAuAs7/_2F_2FaOLGeSfBg/SpqBP8BgrEPPu7fRQk/ZeJOITtHs/YWEqWFBZeXLDHvssfO9r/i_2FIb5Uzc70BiTAWZ9/pW3MoyQFCUx52IDsZSb5d1/NEH549uzpN_2B/_2FSVPr4/NvChszaTrwqyOg_2BEy5Xdb/D687vZ8oiI/0NSSiOjDkO10iDprd/Qviosj1zecPb/eHRsDzQsJxM/44j8owHTlQn/rF.bmp	1	Fn Data
System	Sleep	duration = 120000 milliseconds (120.000 seconds)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Module	Unmap	process_name = c:\program files (x86)\internet explorer\iexplore.exe	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xbb8

Category	Operation	Information	Count	Logfile
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /favicon.ico, accept_types = 56750148, flags = INTERNET_FLAG_NEED_FILE, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIA, address_out = 0x76d0d250	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Read Response	size = 237, size_out = 237	1	Fn Data
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Process #6: firefox.exe

599

Information	Value
ID	#6
File Name	c:\program files (x86)\mozilla firefox\firefox.exe
Command Line	"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Initial Working Directory	C:\Program Files (x86)\Mozilla Firefox\
Monitor	Start Time: 00:01:05, Reason: Child Process
Unmonitor	End Time: 00:01:58, Reason: Self Terminated
Monitor Duration	00:00:52

OS Process Information

Information	Value
PID	0xb64
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B68 0x B78 0x B80 0x B84 0x BF8 0x BFC 0x 8E8 0x 8E4 0x 8E0 0x 830 0x 88C 0x 938 0x 87C 0x 880 0x 884 0x 888 0x 894 0x 6AC 0x 308 0x 890 0x 4B0 0x 610 0x 360 0x 35C 0x 820 0x 824 0x 8DC 0x 51C 0x 868 0x 82C 0x 974 0x 9D0 0x 9B8 0x 9BC 0x 9C0 0x 9AC 0x A54 0x 9F4 0x 9EC 0x A58 0x 9A8 0x 9E8 0x A0C 0x A08 0x AF4 0x AE4 0x AF0 0x B14 0x 478 0x B18 0x A1C 0x A20

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
firefox.exe	0x01120000	0x01163FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
firefox.exe	0x01120000	0x01163FFF	Content Changed	-	32-bit	-	... Region Actions Download Dump
firefox.exe	0x01120000	0x01163FFF	Process Termination	-	32-bit	-	... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000000810000:+0x1f68c	nss3.dll:sqlite3_open16+0x1131	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68f	nss3.dll:sqlite3_open16+0x1130	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68c	nss3.dll:sqlite3_open16+0x1136	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68f	nss3.dll:sqlite3_open16+0x1135	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68c	nss3.dll:sqlite3_open16+0x113b	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68f	nss3.dll:sqlite3_open16+0x113a	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68c	nss3.dll:sqlite3_open16+0x1140	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000000810000:+0x1f68f	nss3.dll:sqlite3_open16+0x113f	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#3: c:\windows\explorer.exe	0xb60	address = 0x1122478, size = 4	2	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb60	address = 0x810000, size = 1212416	1	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb60	address = 0xe0000, size = 792	1	Fn Data
Modify Control Flow	#3: c:\windows\explorer.exe	0xb60	os_tid = 0xb68, address = 0x0	1	Fn

Threads

Thread 0xb68

590

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlGetVersion, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _aulldiv, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _allmul, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _aullshr, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _allshl, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = _chkstk, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = NtQueryVirtualMemory, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = InterlockedIncrement, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = InterlockedDecrement, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = InterlockedExchange, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetPrivateProfileSectionNamesW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetPrivateProfileStringW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetPrivateProfileIntW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x3ffc24	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x3ffc24	1	Fn
System	Get Time	type = Ticks, time = 131446	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\firefox.exe, base_address = 0x1120000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\mozilla firefox\firefox.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x769f195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7522ca94	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76d00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76d0ccf5	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x76c2ae5f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76c191b4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x76c1ffe6	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {4A9E43FA-2179-0C40-FB1E-E5005F32E934}	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x75450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	-	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetThreadDesktop, address_out = 0x76c16c63	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationA, address_out = 0x76c3d396	2	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CloseDesktop, address_out = 0x76c200fa	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\mozilla firefox\firefox.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x76d146e9	10	Fn
Module	Load	module_name = NSPR4.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = NSS3.DLL, base_address = 0x73ac0000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PR_GetError, address_out = 0x73ac7aa0	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PR_SetError, address_out = 0x73ac7b00	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73ac0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73ac0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73ac0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73ac0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77310000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x77311408	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	32	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x7522cc15	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7523469d	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x7522cd01	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75234907	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn

Thread 0xb80

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xb84

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Process #7: chrome.exe

1039

Information	Value
ID	#7
File Name	c:\program files (x86)\google\chrome\application\chrome.exe
Command Line	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --use-spdy=off
Initial Working Directory	C:\Program Files (x86)\Google\Chrome\Application\
Monitor	Start Time: 00:01:06, Reason: Child Process
Unmonitor	End Time: 00:01:59, Reason: Self Terminated
Monitor Duration	00:00:53

OS Process Information

Information	Value
PID	0xb70
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B74 0x B88 0x B8C 0x 810 0x 850 0x 8A0 0x 860 0x 34C 0x 55C 0x 41C 0x 8EC 0x 90C 0x 914 0x 918 0x 31C 0x 910 0x 908 0x 904 0x 900 0x 8FC 0x 8F8 0x 8F4 0x 8F0 0x 924 0x 930 0x 848 0x 934 0x 844 0x 838 0x 83C 0x 840 0x 940 0x 43C 0x 5FC 0x 580 0x 21C 0x 468 0x 584 0x 7E8 0x 9F8

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
chrome.exe	0x13F510000	0x13F63CFFF	Content Changed	-	64-bit	-	... Region Actions Download Dump
chrome.exe	0x13F510000	0x13F63CFFF	Content Changed	-	64-bit	-	... Region Actions Download Dump
chrome.exe	0x13F510000	0x13F63CFFF	Process Termination	-	64-bit	-	... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000001d50000:+0x29512	kernel32.dll:RegDeleteTreeA+0x216	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29516	kernel32.dll:RegDeleteTreeA+0x210	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29512	kernel32.dll:RegDeleteTreeA+0x224	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29516	kernel32.dll:RegDeleteTreeA+0x21e	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29512	kernel32.dll:RegDeleteTreeA+0x232	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29516	kernel32.dll:RegDeleteTreeA+0x22c	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29512	kernel32.dll:RegDeleteTreeA+0x240	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29516	kernel32.dll:RegDeleteTreeA+0x23a	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29512	advapi32.dll:InstallApplication+0x116	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001d50000:+0x29516	advapi32.dll:InstallApplication+0x110	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x0000000001d50000:+0x290f9	146. entry of chrome.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	26. entry of chrome.exe	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001d50000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	50. entry of chrome.exe	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	80. entry of chrome_elf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	111. entry of chrome_elf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	148. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	147. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000001d50000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	225. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	237. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001d50000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	252. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	272. entry of user32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	88. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	89. entry of msctf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	298. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001d50000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	28. entry of version.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	467. entry of advapi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	74. entry of shlwapi.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	78. entry of gdi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	150. entry of winmm.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	75. entry of webio.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001d50000:+0x290f9	230. entry of comctl32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#3: c:\windows\explorer.exe	0xb6c	address = 0x13f5437e0, size = 4	2	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb6c	address = 0x1d50000, size = 1269760	1	Fn Data
Modify Memory	#3: c:\windows\explorer.exe	0xb6c	address = 0xe0000, size = 792	1	Fn Data
Modify Control Flow	#3: c:\windows\explorer.exe	0xb6c	os_tid = 0xb74, address = 0x1	1	Fn

Threads

Thread 0xb74

1018

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x2ff0f0	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x2ff0f0	1	Fn
System	Get Time	type = Ticks, time = 132881	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\google\chrome\application\chrome.exe, base_address = 0x13f510000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x770491d0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fefd71d710	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7fefd5c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefd5c4c9c	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76fbbae8	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = FindWindowA, address_out = 0x76f68270	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {E66674FB-0DD1-08BF-C77A-91BCEB4E55B0}	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7fefd330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7fefd71dc20	1	Fn
User	Get Username	-	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetThreadDesktop, address_out = 0x76f5a850	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetUserObjectInformationA, address_out = 0x76f4777c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseDesktop, address_out = 0x76f4d850	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77321050	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7fefd5cfb70	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	31	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7fefd71d6d0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7fefd717c50	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x7fef9a10000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-string-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-datetime-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-obsolete-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, base_address = 0x13f510000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, base_address = 0x13f510000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameW, address_out = 0x7fefd5d3920	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrW, address_out = 0x7fefd5cfa50	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimW, address_out = 0x7fefd5cb090	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, os_pid = 0xb90, creation_flags = CREATE_SUSPENDED, CREATE_EXTENDED_STARTUPINFO_PRESENT, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 8796092882944, size = 616	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358159256, size = 40	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358041600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x770513a0	1	Fn
Thread	Resume	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SuspendThread, address_out = 0x77042f60	1	Fn
Thread	Suspend	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Thread	Resume	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 3138048	1	Fn
Module	Map	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2b60000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 3136608, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3136616	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x3e0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Unmap	process_name = c:\program files (x86)\google\chrome\application\chrome.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\chrome.dll, base_address = 0x7feef100000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = OLEACCRC.DLL, base_address = 0x340001	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x7fef9a10000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-string-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-datetime-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-obsolete-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, os_pid = 0xbd4, creation_flags = CREATE_SUSPENDED, CREATE_EXTENDED_STARTUPINFO_PRESENT, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 8796092841984, size = 616	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240320, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357240648, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358159256, size = 40	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5358041600, size = 4096	1	Fn Data
Memory	Read	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Thread	Suspend	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 3141232	1	Fn
Module	Map	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2d70000	1	Fn
Module	Map	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1da0000	1	Fn
Memory	Allocate	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 3139792, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 3139800	1	Fn
Thread	Get Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x70000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Unmap	process_name = c:\program files (x86)\google\chrome\application\chrome.exe	1	Fn
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 0x13f5437e0, size = 4	1	Fn Data
Memory	Protect	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, address = 5357451232, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\program files (x86)\google\chrome\application\chrome.exe, os_tid = 0xb74	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = API-MS-Win-Core-LocalRegistry-L1-1-0.dll, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\audioses.dll, base_address = 0x7fef7760000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = propsys.dll, base_address = 0x7fefba60000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn

Thread 0xb88

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xb8c

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x8fc

Category	Operation	Information	Success	Count	Logfile
Process	Create	process_name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, os_pid = 0x9fc, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, CREATE_BREAKAWAY_FROM_JOB, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE		1	Fn
Thread	Resume	os_tid = 0x9f0		1	Fn

Thread 0x844

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Windows\system32\wlanapi.dll, base_address = 0x7fef42a0000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn

Thread 0x940

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-security-systemfunctions-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = advapi32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = advapi32, base_address = 0x7fefd710000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn

Process #8: chrome.exe

881

Information	Value
ID	#8
File Name	c:\program files (x86)\google\chrome\application\chrome.exe
Command Line	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=59.0.3071.115 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7fef4b319d0,0x7fef4b319b8,0x7fef4b319e8 --use-spdy=off
Initial Working Directory	C:\Program Files (x86)\Google\Chrome\Application\
Monitor	Start Time: 00:01:12, Reason: Child Process
Unmonitor	End Time: 00:01:14, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xb90
Parent PID	0xb70 (c:\program files (x86)\google\chrome\application\chrome.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B94 0x BA4 0x BA8 0x BAC

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
chrome.exe	0x13F510000	0x13F63CFFF	Process Termination	-	64-bit	-			... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000001df0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x216	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x210	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x224	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x21e	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x232	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x22c	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x240	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x23a	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29512	advapi32.dll:InstallApplication+0x116	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001df0000:+0x29516	advapi32.dll:InstallApplication+0x110	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x0000000001df0000:+0x290f9	146. entry of chrome.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	26. entry of chrome.exe	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001df0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	50. entry of chrome.exe	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	80. entry of chrome_elf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	111. entry of chrome_elf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	148. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	147. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000001df0000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	225. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	237. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001df0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	252. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	272. entry of user32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	88. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	89. entry of msctf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	298. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001df0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	28. entry of version.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	467. entry of advapi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	74. entry of shlwapi.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	78. entry of gdi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	150. entry of winmm.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	75. entry of webio.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001df0000:+0x290f9	230. entry of comctl32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x13f5437e0, size = 4	2	Fn Data
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x1df0000, size = 1269760	1	Fn Data
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x3e0000, size = 792	1	Fn Data
Modify Control Flow	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	os_tid = 0xb94, address = 0x1	1	Fn

Threads

Thread 0xb94

878

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x23efe0	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x23efe0	1	Fn
System	Get Time	type = Ticks, time = 135034	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\google\chrome\application\chrome.exe, base_address = 0x13f510000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x770491d0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fefd71d710	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7fefd5c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefd5c4c9c	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76fbbae8	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = FindWindowA, address_out = 0x76f68270	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {8628A1FE-2D66-A811-E71A-B15C0BEE7550}	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7fefd330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7fefd71dc20	1	Fn
User	Get Username	-	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetThreadDesktop, address_out = 0x76f5a850	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetUserObjectInformationA, address_out = 0x76f4777c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseDesktop, address_out = 0x76f4d850	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77321050	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7fefd5cfb70	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	31	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7fefd71d6d0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7fefd717c50	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x7fef9a10000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-string-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-datetime-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-obsolete-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-appmodel-runtime-l1-1-2, base_address = 0x0	1	Fn

Process #10: chrome.exe

933

Information	Value
ID	#10
File Name	c:\program files (x86)\google\chrome\application\chrome.exe
Command Line	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2932 --on-initialized-event-handle=392 --parent-handle=396 /prefetch:6
Initial Working Directory	C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:01:58, Reason: Self Terminated
Monitor Duration	00:00:40

OS Process Information

Information	Value
PID	0xbd4
Parent PID	0xb70 (c:\program files (x86)\google\chrome\application\chrome.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BD8 0x BE8 0x BEC 0x BF4

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
chrome.exe	0x13F510000	0x13F63CFFF	Process Termination	-	64-bit	-			... Region Actions Download Dump

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x0000000001da0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x216	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x210	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x224	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x21e	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x232	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x22c	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29512	kernel32.dll:RegDeleteTreeA+0x240	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29516	kernel32.dll:RegDeleteTreeA+0x23a	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29512	advapi32.dll:InstallApplication+0x116	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x0000000001da0000:+0x29516	advapi32.dll:InstallApplication+0x110	2 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x0000000001da0000:+0x290f9	146. entry of chrome.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	26. entry of chrome.exe	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001da0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	50. entry of chrome.exe	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	80. entry of chrome_elf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	111. entry of chrome_elf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	148. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	147. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000001da0000:+0x327bc	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	225. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	237. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000001da0000:+0x329f0	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	252. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	272. entry of user32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	88. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	89. entry of msctf.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	298. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000001da0000:+0x326b4	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	28. entry of version.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	467. entry of advapi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	74. entry of shlwapi.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	78. entry of gdi32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	150. entry of winmm.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	75. entry of webio.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x0000000001da0000:+0x290f9	230. entry of comctl32.dll	4 bytes	kernel32.dll:LoadLibraryExW+0x0 now points to kernel32.dll:RegDeleteTreeA+0x23a	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x13f5437e0, size = 4	2	Fn Data
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x1da0000, size = 1269760	1	Fn Data
Modify Memory	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	address = 0x70000, size = 792	1	Fn Data
Modify Control Flow	#7: c:\program files (x86)\google\chrome\application\chrome.exe	0xb74	os_tid = 0xbd8, address = 0x1	1	Fn

Threads

Thread 0xbd8

924

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x27f070	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x27f070	1	Fn
System	Get Time	type = Ticks, time = 139090	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\google\chrome\application\chrome.exe, base_address = 0x13f510000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x770491d0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7fefd71d710	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7fefd5c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefd5c4c9c	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76fbbae8	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76f40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76f50a90	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = FindWindowA, address_out = 0x76f68270	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {FA436005-1103-3CE1-6BCE-D530CFE2D964}	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7fefd330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7fefd71dc20	1	Fn
User	Get Username	-	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetThreadDesktop, address_out = 0x76f5a850	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetUserObjectInformationA, address_out = 0x76f4777c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseDesktop, address_out = 0x76f4d850	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77160000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7fefd710000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77321050	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\google\chrome\application\chrome.exe, file_name_orig = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x7fefd5cfb70	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	31	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7fefd71d6d0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefd72c480	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefd730710	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7fefd717c50	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefd72b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x7fef9a10000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-string-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-datetime-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-obsolete-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\chrome_watcher.dll, base_address = 0x7feeed90000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x7fef9a10000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x77040000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-string-l1-1-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-datetime-l1-1-1, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-localization-obsolete-l1-2-0, base_address = 0x0	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = C:\Windows\system32\uxtheme.dll, base_address = 0x7fefba00000	1	Fn
Module	Get Handle	module_name = CHROME_CHILD.DLL, base_address = 0x0	2	Fn
Module	Load	module_name = api-ms-win-appmodel-runtime-l1-1-2, base_address = 0x0	1	Fn

Thread 0xbe8

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xbec

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Process #11: iexplore.exe

1065

335

Information	Value
ID	#11
File Name	c:\program files (x86)\internet explorer\iexplore.exe
Command Line	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:14337
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:15:20, Reason: Terminated by Timeout
Monitor Duration	00:13:58

OS Process Information

Information	Value
PID	0x130
Parent PID	0xb54 (c:\program files (x86)\internet explorer\iexplore.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7D8 0x 7D0 0x 790 0x 614 0x 274 0x 500 0x 898 0x 89C 0x 6F4 0x 870 0x 854 0x 828 0x 834 0x 440 0x 920 0x 31C 0x 364 0x 574 0x BB4 0x 274 0x 650 0x 878 0x 360 0x A7C 0x AF8

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	pagefile_0x00000000003f0000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x6026	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x6025	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	kernel32.dll:$$VProc_ImageExportDirectory+0x2cc	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x602b	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x602a	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	kernel32.dll:$$VProc_ImageExportDirectory+0x2bc	8 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	kernel32.dll:WakeConditionVariable+0x6030	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	kernel32.dll:WakeConditionVariable+0x602f	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	advapi32.dll:__sz_pcwum_dll+0x4461	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	advapi32.dll:__sz_pcwum_dll+0x4460	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	advapi32.dll:$$VProc_ImageExportDirectory+0x21c	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d6b	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d6a	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2a90	12 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d70	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d6f	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2b10	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d75	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d74	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d7a	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d79	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d7f	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d7e	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2980	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d84	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d83	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x298c	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d89	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d88	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2a80	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d8e	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d8d	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2974	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d93	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d92	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x2970	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68c	wininet.dll:InternetConfirmZoneCrossing+0x14d98	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f68f	wininet.dll:InternetConfirmZoneCrossing+0x14d97	1 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	pagefile_0x00000000003f0000:+0x1f6be	wininet.dll:+0x29c0	4 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
IAT	pagefile_0x00000000003f0000:+0x1f42a	32. entry of iexplore.exe	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	143. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	142. entry of msvcrt.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x00000000003f0000:+0x2ba4e	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	259. entry of user32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	248. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	246. entry of shell32.dll	4 bytes	kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000003f0000:+0x2bb7d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	310. entry of ole32.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	122. entry of iertutil.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	157. entry of iertutil.dll	4 bytes	advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x00000000003f0000:+0x2bb7d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	500. entry of urlmon.dll	4 bytes	kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x00000000003f0000:+0x2ba4e	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	85. entry of urlmon.dll	4 bytes	wininet.dll:InternetReadFile+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d6a	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	96. entry of urlmon.dll	4 bytes	wininet.dll:InternetWriteFile+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d6f	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	89. entry of urlmon.dll	4 bytes	wininet.dll:InternetReadFileExW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d79	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	97. entry of urlmon.dll	4 bytes	wininet.dll:HttpSendRequestW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d83	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	86. entry of urlmon.dll	4 bytes	wininet.dll:InternetQueryDataAvailable+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d88	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	92. entry of urlmon.dll	4 bytes	wininet.dll:HttpOpenRequestW+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d8d	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	116. entry of urlmon.dll	4 bytes	wininet.dll:InternetCloseHandle+0x0 now points to wininet.dll:InternetConfirmZoneCrossing+0x14d97	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	141. entry of wininet.dll	4 bytes	advapi32.dll:CreateProcessAsUserA+0x0 now points to pagefile_0x00000000003f0000:+0x2badb	... Actions Go to Installer Region Go to Target Region
IAT	pagefile_0x00000000003f0000:+0x1f42a	91. entry of msctf.dll	4 bytes	kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x00000000003f0000:+0x2b9c1	... Actions Go to Installer Region Go to Target Region

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#5: c:\program files (x86)\internet explorer\iexplore.exe	0xb58	address = 0xd61c9a, size = 4	2	Fn Data
Modify Memory	#5: c:\program files (x86)\internet explorer\iexplore.exe	0xb58	address = 0x3f0000, size = 1212416	1	Fn Data
Modify Memory	#5: c:\program files (x86)\internet explorer\iexplore.exe	0xb58	address = 0x250000, size = 792	1	Fn Data
Modify Control Flow	#5: c:\program files (x86)\internet explorer\iexplore.exe	0xb58	os_tid = 0x7d8, address = 0x250218	1	Fn

Threads

Thread 0x7d8

922

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlRandomEx, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlGetVersion, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = bsearch, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _vsnwprintf, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = strstr, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _strlwr, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = atoi, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = memcmp, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _aulldiv, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _allmul, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _aullshr, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _allshl, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = _chkstk, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = NtQueryVirtualMemory, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = VirtualQueryEx, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateRemoteThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WriteProcessMemory, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GlobalUnlock, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GlobalLock, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = InterlockedIncrement, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = InterlockedDecrement, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateProcessW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = InterlockedExchange, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetComputerNameA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetVolumeInformationA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LocalReAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetPrivateProfileSectionNamesW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetPrivateProfileStringW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetPrivateProfileIntW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = Process32FirstW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = Process32NextW, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = GetFileAttributesA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Load	module_name = AVIFIL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = AVIFileExit, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIFileRelease, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIFileInit, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIStreamWrite, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIFileOpenA, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIStreamRelease, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIStreamSetFormat, ordinal = 0, address_out = 0x37fe6c	1	Fn
Module	Get Address	function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x37fe6c	1	Fn
System	Get Time	type = Ticks, time = 141680	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\internet explorer\iexplore.exe, base_address = 0xd60000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x769f195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7522ca94	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76d00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76d0ccf5	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x76c2ae5f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76c191b4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x76c1ffe6	1	Fn
Window	Find	class_name = ProgMan	1	Fn
Mutex	Create	mutex_name = {A6611EF7-CD0C-C847-873A-517CAB0E1570}	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x75450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	-	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7524a4b4	1	Fn
User	Get Username	user_name_out = aETAdzjz	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetThreadDesktop, address_out = 0x76c16c63	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetUserObjectInformationA, address_out = 0x76c3d396	2	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CloseDesktop, address_out = 0x76c200fa	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77340000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75220000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x75220000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x77310000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x77311408	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	30	Fn
Module	Get Filename	module_name = AVIFIL32.dll, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x76d146e9	10	Fn
Module	Load	module_name = WININET.DLL, base_address = 0x768e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75234907	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall	1	Fn
Module	Load	module_name = ieframe, base_address = 0x73c80000	1	Fn
Module	Load	module_name = ieui, base_address = 0x74950000	1	Fn
Module	Load	module_name = mshtml, base_address = 0x73500000	1	Fn
Module	Load	module_name = inetcpl.cpl, base_address = 0x73270000	1	Fn
Module	Load	module_name = ieapfltr, base_address = 0x72a20000	1	Fn
Module	Load	module_name = urlmon, base_address = 0x756b0000	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x768e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetWriteFile, address_out = 0x769146da	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetCanonicalizeUrlA, address_out = 0x7695a787	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindFirstUrlCacheEntryA, address_out = 0x7690d8ca	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpEndRequestA, address_out = 0x769145ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x7690ba12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x768f1b56	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFileExW, address_out = 0x7692ae0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindCloseUrlCache, address_out = 0x76928409	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenA, address_out = 0x7690f18e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x769049e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x768f75e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestA, address_out = 0x76904c7d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x769718f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x768fb406	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetSetStatusCallback, address_out = 0x7690933e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersA, address_out = 0x768fdcd2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x768fab49	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionW, address_out = 0x768f7ed7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x76904a42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x768fa33e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetGetCookieA, address_out = 0x76972c90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFileExA, address_out = 0x7692ae46	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = FindNextUrlCacheEntryA, address_out = 0x7690da09	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = DeleteUrlCacheEntry, address_out = 0x769259e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryDataAvailable, address_out = 0x76905e5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestExA, address_out = 0x76971812	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\wininet.dll, base_address = 0x768e0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	57	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x7522cc15	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x752348ef	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7523469d	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x7522cd01	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 138	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Scr, type = REG_NONE	1	Fn

Thread 0x790

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0x614

102

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Open	mutex_name = Local\{A3415127-A63A-CD11-C887-3A517CAB0E15}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
System	Sleep	duration = -1 (infinite)	2	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegNotifyChangeKeyValue, address_out = 0x7522e15b	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
System	Get Time	type = Ticks, time = 151773	2	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimA, address_out = 0x76d3e63c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x76d0c5e6	2	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /images/5qbVQlb0ymuWmr_2FkDD/NVO_2FaAbeais0tlU4Y/q6BT_2B9eGfIoI43LtIhuV/QtnQchMUX6n9F/B3asYZXw/_2FhYDUJMTYaB3PKILEcVcg/WMgDIGrshB/e0T_2F3OwLtl327Jy/bBo858JdBzTI/m9AayoD6ps_/2Box0bRB6Ldta7/Ec_2F84BmjL_2BnKYZQkp/kBMno7exP3mbnkFE/DFUo4OOfG5hYXwg/QTjEpneV/Z.jpeg, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/5qbVQlb0ymuWmr_2FkDD/NVO_2FaAbeais0tlU4Y/q6BT_2B9eGfIoI43LtIhuV/QtnQchMUX6n9F/B3asYZXw/_2FhYDUJMTYaB3PKILEcVcg/WMgDIGrshB/e0T_2F3OwLtl327Jy/bBo858JdBzTI/m9AayoD6ps_/2Box0bRB6Ldta7/Ec_2F84BmjL_2BnKYZQkp/kBMno7exP3mbnkFE/DFUo4OOfG5hYXwg/QTjEpneV/Z.jpeg	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Mutex	Release	mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Mutex	Release	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = LastTask, type = REG_NONE	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 0	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 0, size_out = 0	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 451856	2	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /images/jZqrkd6qeE46/7g6Fv_2FdEu/Do0MeEJh0LLzgG/T8TmZJYtoIN0od3xZNEfQ/2ySDg_2FTQYvHdsB/Rwkc3jVOpBTR_2F/mUe9_2Fp_2BeB_2FaY/5QbnIPuq4/uFrAnYo7qan8xnyHGrIs/fVOVgJP3OsIKrdJaf9L/pSnsMcCFz9ix_2BDc4TnBw/tiOyUqjVKd1KS/_2FTUK8h/6Pj2pznkRvVGrtjN2s5KVzU/Dtli55kT/5.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/jZqrkd6qeE46/7g6Fv_2FdEu/Do0MeEJh0LLzgG/T8TmZJYtoIN0od3xZNEfQ/2ySDg_2FTQYvHdsB/Rwkc3jVOpBTR_2F/mUe9_2Fp_2BeB_2FaY/5QbnIPuq4/uFrAnYo7qan8xnyHGrIs/fVOVgJP3OsIKrdJaf9L/pSnsMcCFz9ix_2BDc4TnBw/tiOyUqjVKd1KS/_2FTUK8h/6Pj2pznkRvVGrtjN2s5KVzU/Dtli55kT/5.gif	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Mutex	Release	mutex_name = Local\{4B67ACB1-2E14-B54D-90AF-42B9C45396FD}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = LastTask, type = REG_NONE	1	Fn
File	Create	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED	1	Fn
File	Write	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 12, size_out = 12	1	Fn Data
File	Read	filename = \\.\pipe\{5797B6E3-CA4C-A155-8C7B-9E6580DFB269}, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 751862	2	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = pilodirsob.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /images/08fOuvOECMJ8jg/Vv5aYZdsPxbyb3uwFlLX2/pq0B3cl46_2BGd72/_2B0FmNZlKlbphQ/kpCDTXpVwciXqMvCD_/2BiQ9PCiQ/GaXe6ug2L0lbPS6KZ7Ax/iDJPeW9_2BcJ58vWzj9/uWyE2m4Hw2YnmWRdg4_2Fa/THobXHUisDQO7/WutiVtPX/ZssCVCoDsz9MJSynqJJ5CCw/3Kz9.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = pilodirsob.com/images/08fOuvOECMJ8jg/Vv5aYZdsPxbyb3uwFlLX2/pq0B3cl46_2BGd72/_2B0FmNZlKlbphQ/kpCDTXpVwciXqMvCD_/2BiQ9PCiQ/GaXe6ug2L0lbPS6KZ7Ax/iDJPeW9_2BcJ58vWzj9/uWyE2m4Hw2YnmWRdg4_2Fa/THobXHUisDQO7/WutiVtPX/ZssCVCoDsz9MJSynqJJ5CCw/3Kz9.gif	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x89c

Category	Operation	Information	Count	Logfile
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /, accept_types = 62246972, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_KEEP_CONNECTION	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIA, address_out = 0x76d0d250	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Read Response	size = 88, size_out = 88	1	Fn Data
Inet	Read Response	size = 625, size_out = 625	1	Fn Data
Inet	Read Response	size = 1335, size_out = 1335	1	Fn Data
Inet	Read Response	size = 1700, size_out = 1700	1	Fn Data
Inet	Read Response	size = 3551, size_out = 3551	1	Fn Data
Inet	Read Response	size = 893, size_out = 893	1	Fn Data
Inet	Read Response	size = 2773, size_out = 2773	1	Fn Data
Inet	Read Response	size = 3255, size_out = 3255	1	Fn Data
Inet	Read Response	size = 1968, size_out = 1968	1	Fn Data
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /images/nav_logo229.png, accept_types = 62236340, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /client_204?&atyp=i&biw=1436&bih=715&ei=1CD9XOX0MZGorgTcn5yIBw, accept_types = 62239956, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /gen_204?s=webhp&t=aft&atyp=csi&ei=1CD9XOX0MZGorgTcn5yIBw&rt=wsrt.undefined,aft.374,prt.140&ima=1&imn=1, accept_types = 62239652, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /xjs/_/js/k=xjs.hp.en.CxYNq1jaiRs.O/m=sb_he,hjsa,d,csi/am=4KEW/d=1/rs=ACT90oFrCSGntP4_dk5FCcNtEAJedda8zg, accept_types = 62243780, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn

Thread 0x870

Category	Operation	Information	Success	Count	Logfile
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3		1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3		1	Fn Data

Thread 0x31c

Category	Operation	Information	Count	Logfile
Inet	Read Response	size_out = 1029	1	Fn Data
Inet	Read Response	size_out = 1401	3	Fn Data
Inet	Read Response	size_out = 250	1	Fn Data
Inet	Read Response	size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /favicon.ico, accept_types = 92269944, flags = INTERNET_FLAG_NEED_FILE, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn
Inet	Read Response	size = 1263, size_out = 1263	1	Fn Data
Inet	Read Response	size = 785, size_out = 785	1	Fn Data
Inet	Read Response	size = 733, size_out = 733	1	Fn Data
Inet	Read Response	size = 2649, size_out = 2649	1	Fn Data
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x364

Category	Operation	Information	Count	Logfile
Inet	Read Response	size_out = 1028	1	Fn Data
Inet	Read Response	size_out = 1401	5	Fn Data
Inet	Read Response	size_out = 159	1	Fn Data
Inet	Read Response	size_out = 1242	1	Fn Data
Inet	Read Response	size_out = 1401	1	Fn Data
Inet	Read Response	size_out = 1428	1	Fn Data
Inet	Read Response	size_out = 0	1	Fn

Thread 0xbb4

Category	Operation	Information	Count	Logfile
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png, accept_types = 96399204, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_REQUEST_METHOD, size_out = 3	1	Fn Data
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS	1	Fn

Thread 0x274

Category	Operation	Information	Count	Logfile
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x650

249

Category	Operation	Information	Count	Logfile
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 777	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 394	1	Fn Data
Inet	Read Response	size_out = 948	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 852	1	Fn Data
Inet	Read Response	size_out = 973	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 522	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 310	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 118	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 398	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 440	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 187	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 922	1	Fn Data
Inet	Read Response	size_out = 976	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 129	1	Fn Data
Inet	Read Response	size_out = 642	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 712	1	Fn Data
Inet	Read Response	size_out = 619	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 470	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 182	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 484	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 7	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 115	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 277	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 987	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 370	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 10	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 275	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 750	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 125	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 222	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 587	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 492	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 419	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 703	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 318	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 923	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 93	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 589	1	Fn Data
Inet	Read Response	size_out = 985	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 772	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 163	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 763	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 116	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 959	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 214	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 965	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 973	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 115	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 174	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 265	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 804	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 260	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 803	1	Fn Data
Inet	Read Response	size_out = 848	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 137	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 102	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 621	1	Fn Data
Inet	Read Response	size_out = 894	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 473	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 215	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 621	1	Fn Data
Inet	Read Response	size_out = 919	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 355	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 11	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 844	1	Fn Data
Inet	Read Response	size_out = 756	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 803	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 125	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 507	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 333	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 158	1	Fn Data
Inet	Read Response	size_out = 621	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 163	1	Fn Data
Inet	Read Response	size_out = 958	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 743	1	Fn Data
Inet	Read Response	size_out = 996	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 588	1	Fn Data
Inet	Read Response	size_out = 941	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 328	1	Fn Data
Inet	Read Response	size_out = 902	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 7	1	Fn Data
Inet	Read Response	size_out = 887	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 909	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 202	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 370	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 429	1	Fn Data
Inet	Read Response	size_out = 1024	4	Fn Data
Inet	Read Response	size_out = 401	1	Fn Data
Inet	Read Response	size_out = 682	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 476	1	Fn Data
Inet	Read Response	size_out = 916	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 365	1	Fn Data
Inet	Read Response	size_out = 848	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 482	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 501	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 33	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 619	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 516	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data
Inet	Read Response	size_out = 423	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 88	1	Fn Data
Inet	Read Response	size_out = 1024	3	Fn Data
Inet	Read Response	size_out = 623	1	Fn Data
Inet	Read Response	size_out = 1024	1	Fn Data
Inet	Read Response	size_out = 105	1	Fn Data
Inet	Read Response	size_out = 1024	2	Fn Data

Process #13: cmd.exe

Information	Value
ID	#13
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "systeminfo.exe > C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:29

OS Process Information

Information	Value
PID	0x86c
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 950

Dropped Files

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	2.15 KB	MD5: 9ca0b372ff5850bb42dce6fbe589337a SHA1: fec2e1203e40e9bab3c933ea38f547bbb3b2b624 SHA256: 2f1cdc7389eae91a8c043f60941f1acd64a2bb245706652f253a454e20770001 SSDeep: 48:KR0QD3CqYxnwxmzWGK/JIjdG7XSkkS3CEUXxFjCV3i6D:KR0QDyqUnwRQzPDv3Ii6D	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	2.17 KB	MD5: fbd635e77106b300c438ad738444db24 SHA1: 2026d0e93d638ef05827b058b92432888556fe23 SHA256: 9cbf2b69d0824926f7a5cc8a6cbfd1422890d1b6139a18fb5c73524b538f28cf SSDeep: 48:KR0QD3CqYxnwxmzWGK/JIjdG7XSkkS3CEUXxFjCV3i6A:KR0QDyqUnwRQzPDv3Ii6A	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	2.18 KB	MD5: 95c380581ab16ca2c94ac422a8b58422 SHA1: 68c5d00ed02dfbca87472359d537fd0bb0056c21 SHA256: de9603e3500aec167a0af1771009789c90421516ae693b9f1abac695a3af8f99 SSDeep: 48:KR0QD3CqYxnwxmzWGK/JIjdG7XSkkS3CEUXxFjCV3i61:KR0QDyqUnwRQzPDv3Ii61	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	2.26 KB	MD5: 913cd32fec97b48566f5477050b33aaf SHA1: 9a9d53e9dc7851af179ba3332f23d7a479d6a1bf SHA256: 87c3b9972840f794f279a25daaa020440e08807a7714f167ce3739555c5de820 SSDeep: 48:KR0QD3CqYxnwxmzWGK/JIjdG7XSkkS3CEUXxFjCV3i69w0:KR0QDyqUnwRQzPDv3Ii69w0	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	2.27 KB	MD5: f6d4e0598575dce762164ba79ab62e6d SHA1: 46e4a7813a54b72db5b25653fbf9ff70acfbaa85 SHA256: d8587dc5f5fe2dfd6bf195838bc5660f6f17091707a9af26957b3131aa7839e5 SSDeep: 48:KR0QD3CqYxnwxmzWGK/JIjdG7XSkkS3CEUXxFjCV3i69wp:KR0QDyqUnwRQzPDv3Ii69wp	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	8.14 KB	MD5: 34b563dfcc7edae089ab55499f084670 SHA1: f40b182389e7765f7de3443eaa1175a986e02137 SHA256: b216ab0344cc335a28629d3ba91c89d73f20a3dab45e6168eca48dcb9a67448e SSDeep: 192:Z5q8wRKPDv3yy4EvLasmPz88r+0mITu3CQbpCVRLHVXtLhPhF8eZhDADncPXpvrC:unKP7L4EvLtmPz88r+0mWu3XbpCVRLHa	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	25.20 KB	MD5: 54d51a4c4d122f877ed974de041332ba SHA1: 5c454b8f75c07702759cda98313590fdf6a2a238 SHA256: 765b50185a656c6d8c3d73b99ff8905c084a95cf171fd80539b866cd104c83e5 SSDeep: 768:unKPH4EvLtmPz88r+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEo:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhFP	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	47.89 KB	MD5: b0da96e9d25b44313aee063c747944eb SHA1: 47b37f093a7eac6a8217cb0892312a1ee1ca11f7 SHA256: f4d656ca0d06aa91f329ae11f963328b7d74835c3b4ad189af0f8651451af3cc SSDeep: 768:unKPH4EvLtmPz88r+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEn:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhFm	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	47.90 KB	MD5: 8898f736d5002d1c6d9d7c6e81202ba4 SHA1: dd2388772d21c16bfdcb5c3d6709906c4fb59465 SHA256: 749dffd14467f1dae82a0245b22a60ca728505bd92100473d59f8843f714dfe6 SSDeep: 768:unKPH4EvLtmPz88r+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEU:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhFj	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	78.82 KB	MD5: 1fdea0ffd8120c1922da4daacab1668a SHA1: 7640613e6b6b0061c528debc257f14da79730960 SHA256: 213116dd345dd9711b11f46fadc508ceb57271300cee8adefef729280f713a4b SSDeep: 1536:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEuKhKI4:CDFIKsBLAzkfLZALAzwogu/LAzkF5cI6	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	78.83 KB	MD5: 49c484df39aec6ecaa359b56f58f4931 SHA1: bc48076ec5095f1dbfd751d0337084d4e230bbde SHA256: b201a32b8f9ab111723fd7c3b812016be28bc6f2d56769e5721335c616c196dd SSDeep: 1536:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEuKhKId:CDFIKsBLAzkfLZALAzwogu/LAzkF5cIn	... File Actions Show Properties Download

Threads

Thread 0x950

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:17 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 153910	1	Fn
System	Get Time	type = Performance Ctr, time = 22316480249	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a440000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = systeminfo.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\systeminfo.exe, os_pid = 0x984, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #14: systeminfo.exe

Information	Value
ID	#14
File Name	c:\windows\system32\systeminfo.exe
Command Line	systeminfo.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:38, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:27
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x984
Parent PID	0x86c (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 98C 0x 97C 0x 988 0x 9DC 0x 998

Process #15: makecab.exe

Information	Value
ID	#15
File Name	c:\windows\system32\makecab.exe
Command Line	makecab.exe /F "C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin"
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\{F5FB2~1\
Monitor	Start Time: 00:01:40, Reason: Child Process
Unmonitor	End Time: 00:01:43, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xa04
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 93C

Dropped Files

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_9	8 bytes	MD5: 7b5b6c7bf41e6055abd4e74476e08575 SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f SSDeep: 3:P:P	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_5	84 bytes	MD5: 557102a84341d48932dd5821405d8904 SHA1: b09d2ae8acdec2e2f7dccaedc6939462ae31c0fe SHA256: cb8787267b07d9c306266d60a4a784c0abace264b6a30585efa999bd60ec4068 SSDeep: 3:j0IQyiv2PuIX3gWuBzwSdc4CxYKn:nQyivzIXwvzT/CWK	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin	163 bytes	MD5: 3a74cf8b812e6aa359550e43876d7e32 SHA1: c7f1bc8fbc3cde31d971e07617dd40b6945c806a SHA256: a9ce9f70766373855522e40ea861456df07ca3a910dceb49d5e4963bdb338069 SSDeep: 3:wm/Ll5/thGl+lgG/GmSVQd8u0IQyiv2PuIX3gWuBzwSdc4CxYKn:wGTGsCG/GmSVQd8OQyivzIXwvzT/CWK	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_7	84 bytes	MD5: 4683df92be0b9be079e32bdc8dd65051 SHA1: 382b82ea028e7948d7597794838814a725cb66fa SHA256: deeb1ad922ec8b582ae8b21e3505c990d2dbe67e9b2c7387991cd1cfe2ed22ae SSDeep: 3:J8u0IQyiv2PuIX3gWuBzwSdc4CxYKn:J8OQyivzIXwvzT/CWK	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_6	35 bytes	MD5: 97005095b7b47dda90e124bd479d5d0e SHA1: 9167c3148ad8d72c77cc0c0ddf8f03e55a53aab2 SHA256: 2a608056aa132c7895661a9271f81bc125f3890467e8e208c79507fa642fe258 SSDeep: 3:fltG/GmSVC:TG/GmSVC	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_3	30 bytes	MD5: 797f0691e548f8ed2a4c68ee0ad9cfd6 SHA1: 6e10ed105fffeb1192a4f89719240896577e271f SHA256: 0e6a65bf67965d39b0abaad2dd7726237aaa0c199b163a8bd927e46df497ab9d SSDeep: 3:NLBoNBMLov:ZenD	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_4	40 bytes	MD5: d75809a21cc5bf3c1ad768638dc788b5 SHA1: 93cf96565b5b69ab3340dc68ebecae704a6bb3c0 SHA256: 8e0036bda5ae83545c7f2357bd3a88b0d4223eeb5b58f781c85f460dcab81ee1 SSDeep: 3:dJgVRl+8hGmSVA:dq5+wGmSVA	... File Actions Show Properties Download
setup.inf	946 bytes	MD5: 5c44b95912d66eff44194d4f4b1a5984 SHA1: 53221ffe07fca4c65c74924502d443eb1f79b83a SHA256: 7413f8334d06e68a4a3271ae7263054d62a8652f0fa4a7803a47d7764c18db6f SSDeep: 12:QxncDimwR8KznsPOyneJheCxSVL8IncDimwR8KznhIv:QF8vwnzn0OynKheCxwl8vwnznw	... File Actions Show Properties Download
setup.rpt	283 bytes	MD5: 4048eb7ffbab203c61aace323ee36049 SHA1: b7b76b01841aaef3b9693b7f2e88adc9e22368c9 SHA256: d9030169a70ac3e343286d0a53b3ebd31a6336d23d743c81b0ad5a3c59a38627 SSDeep: 6:vwcuK5fb/ukKpWmVKQrAs10iwezi/hGxQTyF:vAKJXKIeBrOiwe2J6F	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_2	23 bytes	MD5: 4230347e5849e9c7230227a287ae4a41 SHA1: a3fa042694dc86f05973ac07231c95cf590d606a SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd SSDeep: 3:R0qxv:Rf	... File Actions Show Properties Download

Threads

Thread 0x93c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 156671	1	Fn
System	Get Time	type = Performance Ctr, time = 22609508610	1	Fn
Module	Get Handle	module_name = c:\windows\system32\makecab.exe, base_address = 0xff3e0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 4096	1	Fn Data
File	Create	filename = CAB02564.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = CAB02564.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.rpt, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_2, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_3, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_4, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1FB1.bin, size = 4096	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_5, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_6, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_9, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = 01D51ED4E3ECF92009, type = file_attributes	1	Fn
File	Create	filename = 01D51ED4E3ECF92009, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
File	Read	size = 32768	1	Fn Data
File	Read	size = 32670	1	Fn
File	Write	size = 16	1	Fn Data
File	Write	size = 19	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 76	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_10, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_11, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 76	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 76	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 8	1	Fn
File	Write	size = 8	1	Fn Data
File	Read	size = 16	1	Fn Data
File	Read	size = 256	1	Fn Data
File	Write	size = 16	1	Fn Data
File	Write	size = 19	1	Fn Data
File	Read	size = 16	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\2855.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 36	1	Fn Data
File	Read	size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 8	1	Fn Data
File	Read	size = 8	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 35	1	Fn Data
File	Read	size = 32768	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 84	1	Fn Data
File	Read	size = 32768	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02564.TMP, size = 4	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_12, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_13, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2564_14, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_WRONLY \| _O_BINARY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_2, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_2, size = 2048, size_out = 23	1	Fn Data
File	Write	filename = setup.inf, size = 23	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_3, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_3, size = 2048, size_out = 30	1	Fn Data
File	Write	filename = setup.inf, size = 30	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_4, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_4, size = 2048, size_out = 40	1	Fn Data
File	Write	filename = setup.inf, size = 40	1	Fn Data
File	Create	filename = setup.rpt, file_attributes = _O_WRONLY	1	Fn

Process #17: helper.exe

Information	Value
ID	#17
File Name	c:\program files (x86)\mozilla firefox\uninstall\helper.exe
Command Line	"C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
Initial Working Directory	C:\Program Files (x86)\Mozilla Firefox\
Monitor	Start Time: 00:01:54, Reason: Child Process
Unmonitor	End Time: 00:02:00, Reason: Self Terminated
Monitor Duration	00:00:06

OS Process Information

Information	Value
PID	0xafc
Parent PID	0xb64 (c:\program files (x86)\mozilla firefox\firefox.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AF8 0x B1C 0x B30

Threads

Thread 0xaf8

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDllDirectoryW, address_out = 0x76a7004f	1	Fn
File	Add Search Path	-	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionEx, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x769f1ae5	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\mozilla firefox\uninstall\helper.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
COM	Create	interface = 4E530B0A-E611-4C77-A3AC-9031D022281B, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
COM	Create	interface = 000214F9-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	2	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
COM	Create	interface = 000214F9-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
COM	Create	interface = 000214F9-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
COM	Create	interface = 000214F9-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x769fa315	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\shell32.dll, base_address = 0x75890000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHChangeNotify, address_out = 0x758e7965	1	Fn

Process #20: cmd.exe

Information	Value
ID	#20
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:06, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:00

OS Process Information

Information	Value
PID	0x250
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 310

Threads

Thread 0x310

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:45 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 181117	1	Fn
System	Get Time	type = Performance Ctr, time = 25073884016	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a710000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #21: cmd.exe

Information	Value
ID	#21
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "net view >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:06, Reason: Child Process
Unmonitor	End Time: 00:02:21, Reason: Self Terminated
Monitor Duration	00:00:14

OS Process Information

Information	Value
PID	0x248
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 204

Threads

Thread 0x204

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:45 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 181304	1	Fn
System	Get Time	type = Performance Ctr, time = 25093421449	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a320000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0x6bc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #22: net.exe

Information	Value
ID	#22
File Name	c:\windows\system32\net.exe
Command Line	net view
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:06, Reason: Child Process
Unmonitor	End Time: 00:02:21, Reason: Self Terminated
Monitor Duration	00:00:14
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x6bc
Parent PID	0x248 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 600 0x 318

Process #27: cmd.exe

Information	Value
ID	#27
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:20, Reason: Child Process
Unmonitor	End Time: 00:02:21, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x7dc
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 218

Threads

Thread 0x218

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:57 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 193862	1	Fn
System	Get Time	type = Performance Ctr, time = 26470325823	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #28: cmd.exe

Information	Value
ID	#28
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "nslookup 127.0.0.1 >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:20, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x610
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A18

Threads

Thread 0xa18

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:57 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 194002	1	Fn
System	Get Time	type = Performance Ctr, time = 26484132184	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4aae0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\nslookup.exe, os_pid = 0xb84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #31: nslookup.exe

Information	Value
ID	#31
File Name	c:\windows\system32\nslookup.exe
Command Line	nslookup 127.0.0.1
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:20, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xb84
Parent PID	0x610 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BF8 0x BFC

Threads

Thread 0xbf8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 194314	1	Fn
System	Get Time	type = Performance Ctr, time = 26522518077	1	Fn
Module	Get Handle	module_name = c:\windows\system32\nslookup.exe, base_address = 0xff990000	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList	1	Fn
DNS	Get Hostname	name_out = YKyd69q	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 192.168.0.1, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 101	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 192.168.0.1, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 40, size_out = 40	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 63	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn

Process #32: cmd.exe

Information	Value
ID	#32
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:20, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x8e8
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8E0

Threads

Thread 0x8e0

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:59 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 195360	1	Fn
System	Get Time	type = Performance Ctr, time = 26626316976	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a980000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #33: cmd.exe

Information	Value
ID	#33
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "tasklist.exe /SVC >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:21, Reason: Child Process
Unmonitor	End Time: 00:02:24, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x87c
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 880

Threads

Thread 0x880

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:06:59 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 195438	1	Fn
System	Get Time	type = Performance Ctr, time = 26634975501	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4abc0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = tasklist.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\tasklist.exe, os_pid = 0x6ac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #34: tasklist.exe

Information	Value
ID	#34
File Name	c:\windows\system32\tasklist.exe
Command Line	tasklist.exe /SVC
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:21, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Self Terminated
Monitor Duration	00:00:01
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x6ac
Parent PID	0x87c (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8E4 0x 35C 0x 360 0x 820 0x 8DC

Process #35: cmd.exe

Information	Value
ID	#35
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:23, Reason: Child Process
Unmonitor	End Time: 00:02:24, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x888
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9D0

Threads

Thread 0x9d0

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:00 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 196124	1	Fn
System	Get Time	type = Performance Ctr, time = 26817840651	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4aad0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #36: cmd.exe

Information	Value
ID	#36
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "driverquery.exe >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:23, Reason: Child Process
Unmonitor	End Time: 00:02:27, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0xa54
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9EC

Threads

Thread 0x9ec

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:00 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 196218	1	Fn
System	Get Time	type = Performance Ctr, time = 26827660239	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a110000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = driverquery.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\driverquery.exe, os_pid = 0x478, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #37: driverquery.exe

Information	Value
ID	#37
File Name	c:\windows\system32\driverquery.exe
Command Line	driverquery.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:23, Reason: Child Process
Unmonitor	End Time: 00:02:27, Reason: Self Terminated
Monitor Duration	00:00:03
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x478
Parent PID	0xa54 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A0C 0x AE4 0x A1C 0x B18 0x A20

Process #38: cmd.exe

Information	Value
ID	#38
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:02:27, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x41c
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5FC

Threads

Thread 0x5fc

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:02 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 198807	1	Fn
System	Get Time	type = Performance Ctr, time = 27097551992	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4aa60000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #39: cmd.exe

Information	Value
ID	#39
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0x810
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 860

Threads

Thread 0x860

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:02 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 198901	1	Fn
System	Get Time	type = Performance Ctr, time = 27106365888	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a010000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = reg.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0x31c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #40: reg.exe

10080

Information	Value
ID	#40
File Name	c:\windows\system32\reg.exe
Command Line	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0x31c
Parent PID	0x810 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 908

Threads

Thread 0x908

10080

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:02 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 198994	1	Fn
System	Get Time	type = Performance Ctr, time = 27123988232	1	Fn
Module	Get Handle	module_name = c:\windows\system32\reg.exe, base_address = 0xffdd0000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayName, data = Adobe Flash Player 11 ActiveX 64-bit	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = Publisher, data = Adobe Systems Incorporated	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayVersion, data = 11.2.202.233	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = HelpLink, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = HelpLink, data = http://www.adobe.com/go/flashplayer_support/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = NoRepair, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = RequiresIESysFile, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = RequiresIESysFile, data = 4.70.0.1155	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = URLInfoAbout, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = URLInfoAbout, data = http://www.adobe.com	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = URLUpdateInfo, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = URLUpdateInfo, data = http://www.adobe.com/go/getflashplayer/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = VersionMajor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = VersionMajor, data = 11	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = VersionMinor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = VersionMinor, data = 2	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = UninstallString, data = C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_233_ActiveX.exe -maintain activex	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayIcon, data = C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_233_ActiveX.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = EstimatedSize, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = EstimatedSize, data = 6144	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProjectProRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayName, data = Microsoft Project Professional 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = DisplayVersion, data = 16.0.8431.2079	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProPlusRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayName, data = Microsoft Office Professional Plus 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = DisplayVersion, data = 16.0.8431.2079	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=VisioProRetail.16_en-us_x-none culture=en-us version.16=16.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ModifyPath, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRepair, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoRemove, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = NoModify, data = 0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayName, data = Microsoft Visio Professional 2016 - en-us	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = DisplayVersion, data = 16.0.8431.2079	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = Publisher, data = Microsoft Corporation	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = InstallLocation, data = C:\Program Files\Microsoft Office	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ClickToRunComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us, value_name = ClickToRunComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = AuthorizedCDFPrefix, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = AuthorizedCDFPrefix	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
For performance reasons, the remaining 5837 entries are omitted. The remaining entries can be found in glog.xml.

Process #41: cmd.exe

Information	Value
ID	#41
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:28, Reason: Child Process
Unmonitor	End Time: 00:02:29, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x900
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8F8

Threads

Thread 0x8f8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:05 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 201038	1	Fn
System	Get Time	type = Performance Ctr, time = 27328509679	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #42: cmd.exe

Information	Value
ID	#42
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:28, Reason: Child Process
Unmonitor	End Time: 00:02:32, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0x848
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 934

Threads

Thread 0x934

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:05 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 201116	1	Fn
System	Get Time	type = Performance Ctr, time = 27337000215	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a9c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Get Info	filename = reg.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0x910, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #43: reg.exe

12614

Information	Value
ID	#43
File Name	c:\windows\system32\reg.exe
Command Line	reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:28, Reason: Child Process
Unmonitor	End Time: 00:02:32, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

Information	Value
PID	0x910
Parent PID	0x848 (c:\windows\system32\cmd.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 940

Threads

Thread 0x940

12614

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-06-09 15:07:05 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 201194	1	Fn
System	Get Time	type = Performance Ctr, time = 27344687101	1	Fn
Module	Get Handle	module_name = c:\windows\system32\reg.exe, base_address = 0xff570000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayName, data = Adobe Flash Player 10 Plugin	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = Publisher, data = Adobe Systems Incorporated	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayVersion, data = 10.3.183.90	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = HelpLink, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = HelpLink, data = http://www.adobe.com/go/flashplayer_support/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = NoRepair, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = RequiresIESysFile, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = RequiresIESysFile, data = 4.70.0.1155	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = URLInfoAbout, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = URLInfoAbout, data = http://www.adobe.com	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = URLUpdateInfo, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = URLUpdateInfo, data = http://www.adobe.com/go/getflashplayer/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = VersionMajor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = VersionMajor, data = 10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = VersionMinor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = VersionMinor, data = 3	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = UninstallString, data = C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10zr_Plugin.exe -maintain plugin	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayIcon, data = C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10zr_Plugin.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = EstimatedSize, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = EstimatedSize, data = 6144	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = SystemComponent, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayName, data = Google Chrome	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = UninstallString, data = "C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe" --uninstall --system-level --verbose-logging	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = InstallLocation, data = C:\Program Files (x86)\Google\Chrome\Application	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayIcon, data = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = NoRepair, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = Publisher, data = Google Inc.	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = Version, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = Version, data = 59.0.3071.115	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayVersion, data = 59.0.3071.115	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = InstallDate, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = InstallDate, data = 20170630	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = VersionMajor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = VersionMajor, data = 3071	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = VersionMinor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = VersionMinor, data = 115	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = Comments, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = Comments, data = Mozilla Firefox 25.0 (x86 en-US)	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayIcon, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe,0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayName, data = Mozilla Firefox 25.0 (x86 en-US)	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayVersion, data = 25.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = InstallLocation, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = InstallLocation, data = C:\Program Files (x86)\Mozilla Firefox	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = Publisher, data = Mozilla	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = UninstallString, data = "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe"	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = URLInfoAbout, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = URLInfoAbout, data = https://www.mozilla.org/en-US/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = URLUpdateInfo, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = URLUpdateInfo, data = https://www.mozilla.org/en-US/firefox/	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = NoRepair, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = NoRepair, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = EstimatedSize, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = EstimatedSize, data = 50052	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, data = Mozilla Maintenance Service	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = UninstallString, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = UninstallString, data = "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayIcon, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayIcon, data = C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe,0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayVersion, data = 25.0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Publisher, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Publisher, data = Mozilla	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Comments, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = Comments, data = Mozilla Maintenance Service 25.0 (x86 en-US)	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = NoModify, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = NoModify, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = EstimatedSize, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = EstimatedSize, data = 221	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = NoRemove, data = 1	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = AuthorizedCDFPrefix, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = AuthorizedCDFPrefix	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = Comments, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = Comments, data = Caution. Removing this product might prevent some applications from running.	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = Contact, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = Contact	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
For performance reasons, the remaining 7544 entries are omitted. The remaining entries can be found in glog.xml.

Process #44: cmd.exe

Information	Value
ID	#44
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:31, Reason: Child Process
Unmonitor	End Time: 00:02:33, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x904
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 43C

Threads

Thread 0x43c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-25 21:56:43 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 203690	1	Fn
System	Get Time	type = Performance Ctr, time = 27593142315	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a7c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #45: cmd.exe

1347

Information	Value
ID	#45
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /U /C "type C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1 > C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin & del C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:31, Reason: Child Process
Unmonitor	End Time: 00:02:33, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x580
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 914

Dropped Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin	157.66 KB	MD5: 389e83aca199b9d2652cf35277f354e3 SHA1: 860c41bc489c152664c3f6d98c8a96f2bbb49f47 SHA256: c6b3520a816e9eb218c587df2f0ac2059fc8840d1404156f9f705f95822c052b SSDeep: 3072:R5Rb2c4OQN9TYA0vpuQIq7ZptqAAov+Q4S0riSAwSwNTCjIWtg0XefPP3aqNVX3m:H		... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1	78.83 KB	MD5: 49c484df39aec6ecaa359b56f58f4931 SHA1: bc48076ec5095f1dbfd751d0337084d4e230bbde SHA256: b201a32b8f9ab111723fd7c3b812016be28bc6f2d56769e5721335c616c196dd SSDeep: 1536:CA4EvLtmbRr+0mWu3tCVRLHVXtLhPhF8eZhDADncPXpvr2Aj75TLqdelpEuKhKId:CDFIKsBLAzkfLZALAzwogu/LAzkF5cIn		... File Actions Show Properties Download

Threads

Thread 0x914

1347

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-25 21:56:43 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 203768	1	Fn
System	Get Time	type = Performance Ctr, time = 27602171692	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab90000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77056d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x770523d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77048290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x770517e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, type = file_attributes	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin1, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Get Info	type = size, size_out = 0	1	Fn
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	-	2	Fn
File	Read	size = 512, size_out = 512	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 160	1	Fn Data
For performance reasons, the remaining 306 entries are omitted. The remaining entries can be found in glog.xml.

Process #46: makecab.exe

Information	Value
ID	#46
File Name	c:\windows\system32\makecab.exe
Command Line	makecab.exe /F "C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin"
Initial Working Directory	C:\Users\aETAdzjz\AppData\Local\Temp\
Monitor	Start Time: 00:02:31, Reason: Child Process
Unmonitor	End Time: 00:02:33, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x850
Parent PID	0x458 (c:\windows\explorer.exe)
Bitness	64-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 83C

Dropped Files

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_5	11.12 KB	MD5: f0fbc7843742a36d1fa0ee3d5bea7318 SHA1: b79117a13a5f77c7aabc64eb7ce9db5cee147fb4 SHA256: b8ca2e1c8786fbc93a68c4b852fbaf28d9b707abae9768c73392db5553331cac SSDeep: 192:HA/0hz0PQzWTojv4EBG+GMm5Si81YA3se82UlEeUKPtpAcH8X/hEeQ:HAclzBVB/ms1FUlfPtCcc4	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\E3D6.bin	11.18 KB	MD5: 7921d82607b58d54073420ccba781a7c SHA1: 6acccc292018f2f7e7d5a2fd3a4ca788a7ef6c04 SHA256: dfd8530b469f7507191d7c4fd51e18523ab8deed1f753ff41b33d84d6eeb356a SSDeep: 192:IA/0hz0PQzWTojv4EBG+GMm5Si81YA3se82UkEeUKPtpAcH8X/hEez:IAclzBVB/ms1FUkfPtCccL	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_7	11.12 KB	MD5: a55ebddfea351dd54b2e256c7d7207af SHA1: 4afd19d1ec6aa8534ab799d3c90bfbca3e62f715 SHA256: fa29bf5f7ae4fc9c01014dc581dda1c60c048f67199ccc79d95d19711f607393 SSDeep: 192:8A/0hz0PQzWTojv4EBG+GMm5Si81YA3se82UkEeUKPtpAcH8X/hEez:8AclzBVB/ms1FUkfPtCccL	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_6	25 bytes	MD5: 437d9b7103a6b0952dea80da9ea5efdb SHA1: 7306aeefaf72811c24d7c3d9a481b59b98fc26ce SHA256: bdc3393366f61dc58f4bc69ce2a88d1bb6a60be78f761f54406891f9cdab1efc SSDeep: 3:jI4Vo+:jI4S+	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_9	8 bytes	MD5: ca93ffca2002a30af536a8f89e8f1215 SHA1: 68d57427d788ad063470fb500d74c85fa5a277d1 SHA256: 576ce47febf5a4589747f2fb5db219ced962c2d50911774a57b3e104f0b2b725 SSDeep: 3:l:l	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2564_2	23 bytes	MD5: 4230347e5849e9c7230227a287ae4a41 SHA1: a3fa042694dc86f05973ac07231c95cf590d606a SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd SSDeep: 3:R0qxv:Rf	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_3	30 bytes	MD5: a49a8635f89cb783bc958ad9b863a14b SHA1: a5be862858f30e6ed63c9310eb562e77a9476eec SHA256: aeeb2b2ad2903e3ae19629043af276365b463b2a32198fd2c8d4d3ad1ce6df7b SSDeep: 3:NLBoFMLy:ZeFKy	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_4	33 bytes	MD5: 8dae31400c563a2d1a98aaaf3b69953b SHA1: 17e254e74e345451ab48a51edddd1cc81907c8f3 SHA256: 5cfac9756cc5df945d64f55813cc619d3ba895c27573343feb0491c932862da1 SSDeep: 3:dJgVRl4VOJin:dq54QJin	... File Actions Show Properties Download
setup.inf	939 bytes	MD5: 37e2e60fa9ebd96d400faad7d3844aed SHA1: 94451aaee90b0e24a18af8446271e696cb8fb5b3 SHA256: 3549d419005764011bad2417f538679f2a0b3e5c39f72de7b321644cbd42dee3 SSDeep: 12:QxncDimwR8KoOnsPOyneJheFC4QJi5IncDimwR8KoOnhIv:QF8vwnoOn0OynKheFC4QJi08vwnoOnw	... File Actions Show Properties Download
setup.rpt	283 bytes	MD5: 991bcff5dfe927b8d18cce62cb992c3c SHA1: c72b2597bfd44676534815bfc33349f7def7d152 SHA256: 9ea4378c0f266c2665b19dcffafddd2b640d48c07d839234e8e5907549337598 SSDeep: 3:ZO4N/Bt3+xVcuK49HXUv1z/SpkFF0SkqqsVSeKQtFb0iwYeshL/hbtXQT/ZUAa:vwcuKm3U/ukMSkYSeKQL0iwYZ/hNQTCp	... File Actions Show Properties Download

Threads

Thread 0x83c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-25 21:56:44 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 203971	1	Fn
System	Get Time	type = Performance Ctr, time = 27622200759	1	Fn
Module	Get Handle	module_name = c:\windows\system32\makecab.exe, base_address = 0xffe10000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77040000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7705c4a0	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 4096	1	Fn Data
File	Create	filename = CAB02128.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = CAB02128.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = setup.rpt, file_attributes = _O_RDWR, _O_CREAT	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_2, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_3, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_4, file_attributes = _O_WRONLY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, file_attributes = _O_EXCL	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 3	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 4096	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, file_attributes = _O_RDWR, _O_CREAT, _O_EXCL	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_5, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_6, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_9, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, type = file_attributes	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\1D0E.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 7633	1	Fn Data
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 2731	1	Fn Data
File	Read	size = 32768	1	Fn Data
File	Read	size = 17582	1	Fn
File	Write	size = 16	1	Fn Data
File	Write	size = 9	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 994	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_10, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_11, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 7633	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 7633	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 2731	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 2731	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 994	1	Fn Data
File	Write	size = 8	1	Fn Data
File	Write	size = 994	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\CAB02128.TMP, size = 8	1	Fn
File	Write	size = 8	1	Fn Data
File	Read	size = 16	1	Fn Data
File	Read	size = 256	1	Fn Data
File	Write	size = 16	1	Fn Data
File	Write	size = 9	1	Fn Data
File	Read	size = 16	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\E3D6.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 36	1	Fn Data
File	Read	size = 8	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 8	1	Fn Data
File	Read	size = 8	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 25	1	Fn Data
File	Read	size = 32768	1	Fn
File	Read	size = 32768	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 11382	1	Fn Data
File	Read	size = 32768	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Local\Temp\DB32.bin, size = 4	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_12, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_13, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\cab_2128_14, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE	1	Fn
File	Create	filename = setup.inf, file_attributes = _O_WRONLY \| _O_BINARY	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_2, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_2, size = 2048, size_out = 23	1	Fn Data
File	Write	filename = setup.inf, size = 23	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_3, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_3, size = 2048, size_out = 30	1	Fn Data
File	Write	filename = setup.inf, size = 30	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_4, file_attributes = _O_RDONLY \| _O_BINARY	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\inf_2128_4, size = 2048, size_out = 33	1	Fn Data
File	Write	filename = setup.inf, size = 33	1	Fn Data
File	Create	filename = setup.rpt, file_attributes = _O_WRONLY	1	Fn

Remarks

Monitored Processes

Behavior Information - Sequential View

Before

After