order ref ftp (HawkEye)

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xfcc	Analysis Target	High (Elevated)	order ref ftp.exe	"C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe"	-
#4	0xc54	Child Process	High (Elevated)	vbc.exe	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp"	#1
#5	0xe1c	Child Process	High (Elevated)	vbc.exe	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp"	#1

Behavior Information - Sequential View

Process #1: order ref ftp.exe

546

Information	Value
ID	#1
File Name	c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:38, Reason: Analysis Target
Unmonitor	End Time: 00:04:38, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xfcc
Parent PID	0x820 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FD0 0x FF8 0x FFC 0x 2F4 0x 85C 0x 918 0x D78 0x D70 0x D68 0x D3C 0x D30 0x D84 0x CEC 0x 0 0x 148 0x 810 0x 814 0x 2E4 0x BF8 0x ECC

Region

Name	Start VA	End VA	Type	Permissions	Actions
order ref ftp.exe	0x00d10000	0x00d9ffff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x0000000000da0000	0x00da0000	0x00dbffff	Private Memory	rw	-
pagefile_0x0000000000da0000	0x00da0000	0x00daffff	Pagefile Backed Memory	rw	-
private_0x0000000000db0000	0x00db0000	0x00db3fff	Private Memory	rw	-
private_0x0000000000dc0000	0x00dc0000	0x00dc1fff	Private Memory	rw	-
private_0x0000000000dc0000	0x00dc0000	0x00dc0fff	Private Memory	rw	-
pagefile_0x0000000000dd0000	0x00dd0000	0x00de3fff	Pagefile Backed Memory	r	-
private_0x0000000000df0000	0x00df0000	0x00e2ffff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00f2ffff	Private Memory	rw	-
pagefile_0x0000000000f30000	0x00f30000	0x00f33fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000f40000	0x00f40000	0x00f40fff	Pagefile Backed Memory	r	-
private_0x0000000000f50000	0x00f50000	0x00f51fff	Private Memory	rw	-
locale.nls	0x00f60000	0x0101dfff	Memory Mapped File	r	-
private_0x0000000001020000	0x01020000	0x0105ffff	Private Memory	rw	-
private_0x0000000001060000	0x01060000	0x01060fff	Private Memory	rw	-
pagefile_0x0000000001070000	0x01070000	0x01070fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001080000	0x01080000	0x01080fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000001090000	0x01090000	0x01090fff	Pagefile Backed Memory	rw	-
private_0x00000000010a0000	0x010a0000	0x010affff	Private Memory	-	-
private_0x00000000010b0000	0x010b0000	0x010bffff	Private Memory	-	-
private_0x00000000010c0000	0x010c0000	0x010cffff	Private Memory	-	-
private_0x00000000010d0000	0x010d0000	0x010dffff	Private Memory	-	-
private_0x00000000010e0000	0x010e0000	0x010effff	Private Memory	-	-
private_0x00000000010f0000	0x010f0000	0x010fffff	Private Memory	-	-
pagefile_0x0000000001100000	0x01100000	0x01100fff	Pagefile Backed Memory	rw	-
private_0x0000000001110000	0x01110000	0x0111ffff	Private Memory	rw	-
private_0x0000000001120000	0x01120000	0x0121ffff	Private Memory	rw	-
private_0x0000000001220000	0x01220000	0x0122ffff	Private Memory	-	-
private_0x0000000001230000	0x01230000	0x0132ffff	Private Memory	rw	-
private_0x0000000001330000	0x01330000	0x0136ffff	Private Memory	rw	-
private_0x0000000001370000	0x01370000	0x0140ffff	Private Memory	rw	-
pagefile_0x0000000001370000	0x01370000	0x013e1fff	Pagefile Backed Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x013fffff	Private Memory	-	-
private_0x0000000001400000	0x01400000	0x0140ffff	Private Memory	rw	-
pagefile_0x0000000001400000	0x01400000	0x01400fff	Pagefile Backed Memory	r	-
l_intl.nls	0x01410000	0x01412fff	Memory Mapped File	r	-
pagefile_0x0000000001420000	0x01420000	0x01420fff	Pagefile Backed Memory	r	-
private_0x0000000001430000	0x01430000	0x0143ffff	Private Memory	rw	-
private_0x0000000001440000	0x01440000	0x0144ffff	Private Memory	rw	-
private_0x0000000001450000	0x01450000	0x0154ffff	Private Memory	rw	-
private_0x0000000001550000	0x01550000	0x0155ffff	Private Memory	-	-
pagefile_0x0000000001560000	0x01560000	0x01560fff	Pagefile Backed Memory	r	-
sorttbls.nlp	0x01570000	0x01574fff	Memory Mapped File	r	-
private_0x0000000001580000	0x01580000	0x0158ffff	Private Memory	rw	-
pagefile_0x0000000001590000	0x01590000	0x01590fff	Pagefile Backed Memory	r	-
private_0x00000000015a0000	0x015a0000	0x015affff	Private Memory	-	-
private_0x00000000015b0000	0x015b0000	0x015bffff	Private Memory	rw	-
pagefile_0x00000000015c0000	0x015c0000	0x01747fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001750000	0x01750000	0x018d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000018e0000	0x018e0000	0x02cdffff	Pagefile Backed Memory	r	-
private_0x0000000002ce0000	0x02ce0000	0x02d1ffff	Private Memory	rw	-
private_0x0000000002d20000	0x02d20000	0x02e1ffff	Private Memory	rw	-
private_0x0000000002e20000	0x02e20000	0x02e5ffff	Private Memory	rw	-
private_0x0000000002e70000	0x02e70000	0x02e7ffff	Private Memory	rwx	-
sortdefault.nls	0x02e80000	0x031b6fff	Memory Mapped File	r	-
private_0x00000000031c0000	0x031c0000	0x051bffff	Private Memory	rw	-
private_0x00000000051c0000	0x051c0000	0x0539ffff	Private Memory	rw	-
private_0x00000000051c0000	0x051c0000	0x052effff	Private Memory	rw	-
private_0x00000000052f0000	0x052f0000	0x0532ffff	Private Memory	rw	-
private_0x0000000005330000	0x05330000	0x0536ffff	Private Memory	rw	-
private_0x0000000005390000	0x05390000	0x0539ffff	Private Memory	rw	-
private_0x00000000053a0000	0x053a0000	0x0639ffff	Private Memory	rw	-
private_0x00000000063a0000	0x063a0000	0x0739ffff	Private Memory	rw	-
private_0x00000000073a0000	0x073a0000	0x075effff	Private Memory	rw	-
private_0x00000000075f0000	0x075f0000	0x076effff	Private Memory	rw	-
private_0x00000000076f0000	0x076f0000	0x077effff	Private Memory	rw	-
private_0x00000000077f0000	0x077f0000	0x078effff	Private Memory	rw	-
private_0x00000000078f0000	0x078f0000	0x0792ffff	Private Memory	rw	-
private_0x0000000007930000	0x07930000	0x07a2ffff	Private Memory	rw	-
private_0x0000000007a30000	0x07a30000	0x07a6ffff	Private Memory	rw	-
private_0x0000000007a70000	0x07a70000	0x07b6ffff	Private Memory	rw	-
private_0x0000000007b70000	0x07b70000	0x07baffff	Private Memory	rw	-
private_0x0000000007bb0000	0x07bb0000	0x07caffff	Private Memory	rw	-
private_0x0000000007cb0000	0x07cb0000	0x07ceffff	Private Memory	rw	-
private_0x0000000007cf0000	0x07cf0000	0x07deffff	Private Memory	rw	-
sortkey.nlp	0x07df0000	0x07e30fff	Memory Mapped File	r	-
fastprox.dll	0x71b70000	0x71c2bfff	Memory Mapped File	rwx	-
wbemcomn.dll	0x71c30000	0x71c95fff	Memory Mapped File	rwx	-
system.windows.forms.ni.dll	0x71ca0000	0x7287ffff	Memory Mapped File	rwx	-
system.ni.dll	0x72880000	0x73022fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73030000	0x73037fff	Memory Mapped File	rwx	-
wow64.dll	0x73040000	0x7308efff	Memory Mapped File	rwx	-
wow64win.dll	0x73090000	0x73102fff	Memory Mapped File	rwx	-
wbemsvc.dll	0x73130000	0x73140fff	Memory Mapped File	rwx	-
wminet_utils.dll	0x73150000	0x73158fff	Memory Mapped File	rwx	-
wbemprox.dll	0x73160000	0x7316cfff	Memory Mapped File	rwx	-
wmiutils.dll	0x73170000	0x7318dfff	Memory Mapped File	rwx	-
system.management.ni.dll	0x73190000	0x73293fff	Memory Mapped File	rwx	-
rsaenh.dll	0x732a0000	0x732cefff	Memory Mapped File	rwx	-
bcrypt.dll	0x732d0000	0x732eafff	Memory Mapped File	rwx	-
cryptsp.dll	0x732f0000	0x73302fff	Memory Mapped File	rwx	-
microsoft.visualbasic.ni.dll	0x73310000	0x734b4fff	Memory Mapped File	rwx	-
system.drawing.ni.dll	0x734c0000	0x73648fff	Memory Mapped File	rwx	-
mscorjit.dll	0x73650000	0x736aafff	Memory Mapped File	rwx	-
mscorlib.ni.dll	0x736b0000	0x741a9fff	Memory Mapped File	rwx	-
msvcr80.dll	0x741b0000	0x7424afff	Memory Mapped File	rwx	-
mscorwks.dll	0x74250000	0x747fffff	Memory Mapped File	rwx	-
version.dll	0x74800000	0x74807fff	Memory Mapped File	rwx	-
mscoreei.dll	0x74810000	0x74887fff	Memory Mapped File	rwx	-
mscoree.dll	0x74890000	0x748e8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74910000	0x74984fff	Memory Mapped File	rwx	-
apphelp.dll	0x74990000	0x74a20fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74a30000	0x74a88fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74a90000	0x74a99fff	Memory Mapped File	rwx	-
sspicli.dll	0x74aa0000	0x74abdfff	Memory Mapped File	rwx	-
nsi.dll	0x74ac0000	0x74ac6fff	Memory Mapped File	rwx	-
user32.dll	0x74ad0000	0x74c0ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x74c10000	0x74c53fff	Memory Mapped File	rwx	-
advapi32.dll	0x74c60000	0x74cdafff	Memory Mapped File	rwx	-
powrprof.dll	0x74ce0000	0x74d23fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74d30000	0x74ea5fff	Memory Mapped File	rwx	-
combase.dll	0x74f70000	0x75129fff	Memory Mapped File	rwx	-
kernel32.dll	0x75130000	0x7521ffff	Memory Mapped File	rwx	-
imm32.dll	0x75220000	0x7524afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x752b0000	0x752bbfff	Memory Mapped File	rwx	-
shell32.dll	0x752c0000	0x7667efff	Memory Mapped File	rwx	-
windows.storage.dll	0x76800000	0x76cdcfff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ce0000	0x76d71fff	Memory Mapped File	rwx	-
msctf.dll	0x76da0000	0x76ebffff	Memory Mapped File	rwx	-
ws2_32.dll	0x76ed0000	0x76f2bfff	Memory Mapped File	rwx	-
ole32.dll	0x76f30000	0x77019fff	Memory Mapped File	rwx	-
sechost.dll	0x770b0000	0x770f2fff	Memory Mapped File	rwx	-
profapi.dll	0x77100000	0x7710efff	Memory Mapped File	rwx	-
shcore.dll	0x771d0000	0x7725cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772c0000	0x7736bfff	Memory Mapped File	rwx	-
gdi32.dll	0x77370000	0x774bcfff	Memory Mapped File	rwx	-
clbcatq.dll	0x77670000	0x776f1fff	Memory Mapped File	rwx	-
msvcrt.dll	0x778d0000	0x7798dfff	Memory Mapped File	rwx	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
private_0x000000007f527000	0x7f527000	0x7f529fff	Private Memory	rw	-
private_0x000000007f52a000	0x7f52a000	0x7f52cfff	Private Memory	rw	-
private_0x000000007f52d000	0x7f52d000	0x7f52ffff	Private Memory	rw	-
private_0x000000007f530000	0x7f530000	0x7f53ffff	Private Memory	rwx	-
private_0x000000007f540000	0x7f540000	0x7f58ffff	Private Memory	rwx	-
private_0x000000007f591000	0x7f591000	0x7f593fff	Private Memory	rw	-
private_0x000000007f594000	0x7f594000	0x7f596fff	Private Memory	rw	-
private_0x000000007f597000	0x7f597000	0x7f599fff	Private Memory	rw	-
private_0x000000007f59a000	0x7f59a000	0x7f59cfff	Private Memory	rw	-
private_0x000000007f59d000	0x7f59d000	0x7f59ffff	Private Memory	rw	-
pagefile_0x000000007f5a0000	0x7f5a0000	0x7f69ffff	Pagefile Backed Memory	r	-
pagefile_0x000000007f6a0000	0x7f6a0000	0x7f6c2fff	Pagefile Backed Memory	r	-
private_0x000000007f6c3000	0x7f6c3000	0x7f6c5fff	Private Memory	rw	-
private_0x000000007f6c6000	0x7f6c6000	0x7f6c8fff	Private Memory	rw	-
private_0x000000007f6c9000	0x7f6c9000	0x7f6c9fff	Private Memory	rw	-
private_0x000000007f6cc000	0x7f6cc000	0x7f6cefff	Private Memory	rw	-
private_0x000000007f6cf000	0x7f6cf000	0x7f6cffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ffaf7a0ffff	Private Memory	r	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-
For performance reasons, the remaining 48 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp	0.00 KB	MD5: f3b25701fe362ec84616a93a45ce9998 SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 SSDeep: 3:Qn:Qn	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp	0.45 KB	MD5: 93c8c3c8da84285107aa86444a095500 SHA1: f01b6bdefe99aa2fdbfb1e185982ad75af771892 SHA256: 5ace779e0b61dfefc47ee45d84ff79fc3fa77c0e3d853e75126fc38f6f3b50b8 SSDeep: 6:QAX61qU8ezSOGbXYRADAwzRIj2SOG2AmYezRSJcnDWUiBnDWAwb:QrD8hOGTYRADzRI5OG2Ge9SJgyPlyAwb	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007	0.06 KB	MD5: f06baf5a7b83c0b0e0d432f74350f836 SHA1: 7a3d1679d6f83ff26b858213c85e80ece939b5a4 SHA256: 3a3befb2cb000dea163bda67223b26b2ff0c232e2cdc0e42be3f7bdd8b110fb5 SSDeep: 3:Lg67SJRhfdF/QC4Vom:j74xdSC4Vom	... File Actions Show Properties Download

Threads

Thread 0xfd0

487

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	2	Fn
Environment	Get Environment String	name = COR_ENABLE_PROFILING	1	Fn
Module	Load	module_name = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, base_address = 0xd10000	1	Fn
Module	Get Filename	module_name = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 255	3	Fn
System	Get Info	type = Operating System	1	Fn
Mutex	Create	mutex_name = 35649757-3aea-40a9-acdb-9f15f973090c	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	3	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007, type = file_type	2	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007, size = 64	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x74ad0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x77a0caa0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, base_address = 0xd10000	2	Fn
Window	Create	class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2007026336	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 48696466	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, base_address = 0xd10000	1	Fn
Window	Create	class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2007026336	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 48696514	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.config, type = file_attributes	1	Fn
File	Create Temp File	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, path = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\, prefix = tmp	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, os_pid = 0xc54, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Module	Unmap	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	1	Fn
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x400000, size = 1024	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x401000, size = 278528	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x445000, size = 48128	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x451000, size = 5632	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x454000, size = 27136	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
Thread	Resume	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 2	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, path = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\, prefix = tmp	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, os_pid = 0xe1c, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Module	Unmap	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	1	Fn
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x400000, size = 1024	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x401000, size = 71168	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x413000, size = 14848	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x417000, size = 3072	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x419000, size = 12288	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, address = 0x7ffde008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
Thread	Resume	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, os_tid = 0xfd0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 4096, size_out = 0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, type = file_type	2	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 4096, size_out = 462	1	Fn Data
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Beyluxe Messenger	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CoreFTP\sites.idx, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\.minecraft\lastlogin, type = file_attributes	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes	2	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459	1	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.config, type = file_attributes	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config, type = file_attributes	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 5840, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY	2	Fn Data
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Module	Map	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, desired_access = FILE_MAP_WRITE	1	Fn
System	Get Info	type = Operating System	2	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE	1	Fn
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Mutex	Create	-	1	Fn
Mutex	Release	-	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = ftp.r2v2.co.uk, address_out = 216.37.42.30	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 216.37.42.30, remote_port = 21	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 320	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 23, size_out = 23	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 49	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 19, size_out = 19	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 43	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 14, size_out = 14	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 23	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 34	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 7, size_out = 7	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 32	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 8, size_out = 8	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 30	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 6, size_out = 6	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 49	1	Fn Data
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Bind	protocol = IPPROTO_TCP, local_address = 192.168.0.51, local_port = 49429, hint = OS assigned a local port from the dynamic client port range	1	Fn
Socket	Connect	remote_address = 216.37.42.30, remote_port = 55376	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 88, size_out = 88	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 30	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 535, size_out = 535	1	Fn Data
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 1024, size_out = 94	1	Fn Data
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, base_address = 0xd10000	2	Fn
Window	Create	class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2007026336	1	Fn
Window	Set Attribute	class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 48697666	1	Fn

Thread 0x2f4

Category	Operation	Information	Success	Count	Logfile
Window	Set Attribute	class_name = WindowsForms10.Window.0.app.0.378734a, index = 18446744073709551612, new_long = 2007026336		1	Fn

Thread 0xd78

Category	Operation	Information	Success	Count	Logfile
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		4	Fn

Thread 0xd30

Category	Operation	Information	Count	Logfile
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Load	module_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll, base_address = 0x73150000	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ResetSecurity, address_out = 0x73151944	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SetSecurity, address_out = 0x73151986	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServices, address_out = 0x731519cc	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServicesObject, address_out = 0x73151a1e	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyHandle, address_out = 0x73151a70	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = WritePropertyValue, address_out = 0x73151a89	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x73151aa2	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = VerifyClientKey, address_out = 0x73152270	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetQualifierSet, address_out = 0x73151d73	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Get, address_out = 0x73151b96	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Put, address_out = 0x73151b7a	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Delete, address_out = 0x73151bb5	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetNames, address_out = 0x73151bc8	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginEnumeration, address_out = 0x73151be4	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Next, address_out = 0x73151bf7	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndEnumeration, address_out = 0x73151c16	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyQualifierSet, address_out = 0x73151c26	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x73151aa2	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetObjectText, address_out = 0x73151c3c	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnDerivedClass, address_out = 0x73151c52	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnInstance, address_out = 0x73151c68	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CompareTo, address_out = 0x73151c7e	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyOrigin, address_out = 0x73151c94	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = InheritsFrom, address_out = 0x73151caa	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethod, address_out = 0x73151cbd	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutMethod, address_out = 0x73151cd9	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = DeleteMethod, address_out = 0x73151cf5	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginMethodEnumeration, address_out = 0x73151d08	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = NextMethod, address_out = 0x73151d1b	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndMethodEnumeration, address_out = 0x73151d37	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodQualifierSet, address_out = 0x73151d47	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodOrigin, address_out = 0x73151d5d	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Get, address_out = 0x73151d86	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Put, address_out = 0x73151da2	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Delete, address_out = 0x73151dbb	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_GetNames, address_out = 0x73151dce	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_BeginEnumeration, address_out = 0x73151de4	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Next, address_out = 0x73151df7	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_EndEnumeration, address_out = 0x73151e13	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetCurrentApartmentType, address_out = 0x73151d73	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetDemultiplexedStub, address_out = 0x731518fd	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateInstanceEnumWmi, address_out = 0x73151580	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateClassEnumWmi, address_out = 0x731515f6	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecQueryWmi, address_out = 0x7315169e	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecNotificationQueryWmi, address_out = 0x73151717	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutInstanceWmi, address_out = 0x73151790	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutClassWmi, address_out = 0x73151810	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CloneEnumWbemClassObject, address_out = 0x73151890	1	Fn
Module	Get Address	module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ConnectServerWmi, address_out = 0x731524b7	1	Fn
COM	Create	interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER	1	Fn

Thread 0xcec

Category	Operation	Information	Success	Count	Logfile
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		1	Fn
COM	Create	interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER		1	Fn

Thread 0xbf8

Category	Operation	Information	Success	Count	Logfile
Socket	Close	type = SOCK_STREAM		1	Fn

Process #4: vbc.exe

410

Information	Value
ID	#4
File Name	c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:01:06, Reason: Child Process
Unmonitor	End Time: 00:01:10, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0xc54
Parent PID	0xfcc (c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x CE8 0x C34 0x A74

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	rw	-
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	r	-
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x002e0fff	Pagefile Backed Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x00305fff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x002f7fff	Pagefile Backed Memory	rw	-
counters.dat	0x002f0000	0x002f0fff	Memory Mapped File	rw	... Region Actions Download Dump
pagefile_0x0000000000300000	0x00300000	0x0030ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000000310000	0x00310000	0x00317fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000310000	0x00310000	0x00314fff	Pagefile Backed Memory	rw	-
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x00353fff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x00370fff	Private Memory	rw	-
tzres.dll	0x00370000	0x00372fff	Memory Mapped File	r	-
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x00385fff	Private Memory	rw	-
pagefile_0x0000000000370000	0x00370000	0x00377fff	Pagefile Backed Memory	rw	-
tzres.dll.mui	0x00380000	0x00388fff	Memory Mapped File	r	-
pagefile_0x0000000000390000	0x00390000	0x00397fff	Pagefile Backed Memory	rw	-
vbc.exe	0x00400000	0x0051efff	Memory Mapped File	rwx	-
private_0x0000000000400000	0x00400000	0x0045afff	Private Memory	rwx	-
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	rw	-
ucrtbase.dll	0x00560000	0x0063bfff	Memory Mapped File	rwx	-
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	rw	-
private_0x0000000000750000	0x00750000	0x0084ffff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x008affff	Private Memory	rw	-
pagefile_0x00000000008b0000	0x008b0000	0x00a37fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000a40000	0x00a40000	0x00bc0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000bd0000	0x00bd0000	0x01fcffff	Pagefile Backed Memory	r	-
private_0x0000000001fd0000	0x01fd0000	0x020cffff	Private Memory	rw	-
private_0x0000000002180000	0x02180000	0x0218ffff	Private Memory	rw	-
sortdefault.nls	0x02190000	0x024c6fff	Memory Mapped File	r	-
private_0x00000000024d0000	0x024d0000	0x025d0fff	Private Memory	rw	-
nss3.dll	0x024d0000	0x025fafff	Memory Mapped File	r	-
private_0x00000000024d0000	0x024d0000	0x025cffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026cffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x027cefff	Private Memory	rw	-
private_0x0000000002600000	0x02600000	0x026fffff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027fffff	Private Memory	rw	-
freebl3.dll	0x70f70000	0x70fc4fff	Memory Mapped File	rwx	-
nssdbm3.dll	0x70fd0000	0x70fe8fff	Memory Mapped File	rwx	-
softokn3.dll	0x70ff0000	0x71015fff	Memory Mapped File	rwx	-
devobj.dll	0x71020000	0x71040fff	Memory Mapped File	rwx	-
msvcp140.dll	0x71050000	0x710bcfff	Memory Mapped File	rwx	-
dbghelp.dll	0x710c0000	0x711fefff	Memory Mapped File	rwx	-
winmmbase.dll	0x71200000	0x71222fff	Memory Mapped File	rwx	-
vcruntime140.dll	0x71230000	0x71244fff	Memory Mapped File	rwx	-
ucrtbase.dll	0x71250000	0x7132bfff	Memory Mapped File	rwx	-
mozglue.dll	0x71330000	0x71351fff	Memory Mapped File	rwx	-
winmm.dll	0x71360000	0x71383fff	Memory Mapped File	rwx	-
nss3.dll	0x71390000	0x714befff	Memory Mapped File	rwx	-
wintypes.dll	0x714c0000	0x71584fff	Memory Mapped File	rwx	-
vaultcli.dll	0x71590000	0x715c5fff	Memory Mapped File	rwx	-
iertutil.dll	0x715d0000	0x71890fff	Memory Mapped File	rwx	-
wininet.dll	0x718a0000	0x71ac3fff	Memory Mapped File	rwx	-
comctl32.dll	0x71ad0000	0x71b61fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73030000	0x73037fff	Memory Mapped File	rwx	-
wow64.dll	0x73040000	0x7308efff	Memory Mapped File	rwx	-
wow64win.dll	0x73090000	0x73102fff	Memory Mapped File	rwx	-
pstorec.dll	0x73110000	0x73117fff	Memory Mapped File	rwx	-
wsock32.dll	0x73110000	0x73117fff	Memory Mapped File	rwx	-
rsaenh.dll	0x732a0000	0x732cefff	Memory Mapped File	rwx	-
bcrypt.dll	0x732d0000	0x732eafff	Memory Mapped File	rwx	-
cryptsp.dll	0x732f0000	0x73302fff	Memory Mapped File	rwx	-
version.dll	0x74800000	0x74807fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74a30000	0x74a88fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74a90000	0x74a99fff	Memory Mapped File	rwx	-
sspicli.dll	0x74aa0000	0x74abdfff	Memory Mapped File	rwx	-
nsi.dll	0x74ac0000	0x74ac6fff	Memory Mapped File	rwx	-
user32.dll	0x74ad0000	0x74c0ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x74c10000	0x74c53fff	Memory Mapped File	rwx	-
advapi32.dll	0x74c60000	0x74cdafff	Memory Mapped File	rwx	-
powrprof.dll	0x74ce0000	0x74d23fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74d30000	0x74ea5fff	Memory Mapped File	rwx	-
comdlg32.dll	0x74eb0000	0x74f6dfff	Memory Mapped File	rwx	-
combase.dll	0x74f70000	0x75129fff	Memory Mapped File	rwx	-
kernel32.dll	0x75130000	0x7521ffff	Memory Mapped File	rwx	-
imm32.dll	0x75220000	0x7524afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x752b0000	0x752bbfff	Memory Mapped File	rwx	-
shell32.dll	0x752c0000	0x7667efff	Memory Mapped File	rwx	-
windows.storage.dll	0x76800000	0x76cdcfff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ce0000	0x76d71fff	Memory Mapped File	rwx	-
msctf.dll	0x76da0000	0x76ebffff	Memory Mapped File	rwx	-
psapi.dll	0x76ec0000	0x76ec5fff	Memory Mapped File	rwx	-
ws2_32.dll	0x76ed0000	0x76f2bfff	Memory Mapped File	rwx	-
ole32.dll	0x76f30000	0x77019fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x77020000	0x77055fff	Memory Mapped File	rwx	-
sechost.dll	0x770b0000	0x770f2fff	Memory Mapped File	rwx	-
profapi.dll	0x77100000	0x7710efff	Memory Mapped File	rwx	-
shcore.dll	0x771d0000	0x7725cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772c0000	0x7736bfff	Memory Mapped File	rwx	-
gdi32.dll	0x77370000	0x774bcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x778d0000	0x7798dfff	Memory Mapped File	rwx	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ffaf7a0ffff	Private Memory	r	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x400000, size = 1024	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x401000, size = 278528	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x445000, size = 48128	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x451000, size = 5632	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x454000, size = 27136	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	os_tid = 0xce8, address = 0x0	1	Fn

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat	0.12 KB	MD5: 0fc07622856a4f02ec32f3b8cdc7d79a SHA1: 69227fbe52d3fbfa3af508fee363698fd2a3613c SHA256: 0ac6eba5d515f5a55c7d5bd712cb191aac9bbef780cac77f3a69e357d8c3d746 SSDeep: 3:/lV/l3l:d		... File Actions Show Properties Download

Threads

Thread 0xce8

410

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x71ad0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, function = InitCommonControlsEx, address_out = 0x71ad5000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x752c0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x7544edb0	1	Fn
Module	Get Handle	module_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, base_address = 0x400000	2	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini, type = file_attributes	1	Fn
Module	Get Handle	module_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, base_address = 0x400000	20	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = LoadPasswordsVivaldi, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = FirefoxProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = FirefoxInstallFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = ChromeProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = OperaPasswordFile	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = UseQuickFilter, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = QuickFilterString	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = QuickFilterColumnsMode, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = QuickFilterFindMode, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes	2	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77990000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x779f8f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtLoadDriver, address_out = 0x779f9b30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnloadDriver, address_out = 0x779fa670	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtOpenSymbolicLinkObject, address_out = 0x779f9d60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySymbolicLinkObject, address_out = 0x779fa020	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryObject, address_out = 0x779f8cc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtSuspendProcess, address_out = 0x779fa5d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtResumeProcess, address_out = 0x779fa1f0	1	Fn
System	Get Info	type = SYSTEM_HANDLE_INFORMATION	1	Fn
System	Get Info	type = SYSTEM_HANDLE_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = psapi.dll, base_address = 0x76ec0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameW, address_out = 0x76ec1420	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x76ec13a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExW, address_out = 0x76ec1400	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcesses, address_out = 0x76ec13c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleInformation, address_out = 0x76ec16a0	1	Fn
Module	Get Filename	process_name = c:\windows\system32\sihost.exe, file_name_orig = C:\Windows\System32\sihost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75130000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x75153700	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\explorer.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, file_name_orig = C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, file_name_orig = C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office 15\hadgdp.exe, file_name_orig = C:\Program Files\Microsoft Office 15\hadgdp.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\common files\mergerbass.exe, file_name_orig = C:\Program Files (x86)\Common Files\mergerbass.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windows mail\italianbreakfast.exe, file_name_orig = C:\Program Files\Windows Mail\italianbreakfast.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\merger raw.exe, file_name_orig = C:\Program Files\Microsoft Office\merger raw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\google\protein announcements processes.exe, file_name_orig = C:\Program Files (x86)\Google\protein announcements processes.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\internet explorer\cdt_expenditure_vincent.exe, file_name_orig = C:\Program Files\Internet Explorer\cdt_expenditure_vincent.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office 15\woundchristopher.exe, file_name_orig = C:\Program Files\Microsoft Office 15\woundchristopher.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windows portable devices\irrigation_teach.exe, file_name_orig = C:\Program Files\Windows Portable Devices\irrigation_teach.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windows portable devices\suspect promoting stroke.exe, file_name_orig = C:\Program Files\Windows Portable Devices\suspect promoting stroke.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windows sidebar\piepokemon.exe, file_name_orig = C:\Program Files\Windows Sidebar\piepokemon.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\windows media player\fo deutsch.exe, file_name_orig = C:\Program Files (x86)\Windows Media Player\fo deutsch.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\google\complete_paso_altered.exe, file_name_orig = C:\Program Files (x86)\Google\complete_paso_altered.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\common files\array_matched_latitude.exe, file_name_orig = C:\Program Files\Common Files\array_matched_latitude.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe, file_name_orig = C:\Program Files (x86)\Windows Multimedia Platform\segments-nhs-bee.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\reference assemblies\readily knives.exe, file_name_orig = C:\Program Files\Reference Assemblies\readily knives.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\windows portable devices\barry_slovenia_won.exe, file_name_orig = C:\Program Files (x86)\Windows Portable Devices\barry_slovenia_won.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windowspowershell\livearticle.exe, file_name_orig = C:\Program Files\WindowsPowerShell\livearticle.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\windows journal\inn_creation.exe, file_name_orig = C:\Program Files\Windows Journal\inn_creation.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files\reference assemblies\demand_sony_leeds.exe, file_name_orig = C:\Program Files\Reference Assemblies\demand_sony_leeds.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\windows mail\optimize-dressing.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\optimize-dressing.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\System32\svchost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\System32\backgroundTaskHost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x74c60000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x74c80c00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74c80ad0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74c7f930	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74c7f530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74c7f950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74c7fbf0	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x74c60000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x74c958f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74c84010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x74c956b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74c95710	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x74c83950	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x73110000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x73111290	1	Fn
Module	Load	module_name = vaultcli.dll, base_address = 0x71590000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultOpenVault, address_out = 0x71599e10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultCloseVault, address_out = 0x71599e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x71599c80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultFree, address_out = 0x71599690	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetInformation, address_out = 0x715ab9a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetItem, address_out = 0x71599bf0	2	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite, type = time	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/8i341t8m.default	1	Fn
Ini	Read	file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path	1	Fn
Ini	Read	file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x71390000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7141ee9a	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7141f125	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x71442f61	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x714429d3	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x7142bc2d	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x7142bb28	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x7143ef47	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\logins.json, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.sqlite, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.txt, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons2.txt, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons3.txt, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x71390000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7141ee9a	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7141f125	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x71442f61	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x714429d3	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x7142bc2d	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x7142bb28	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x7143ef47	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = psapi.dll, base_address = 0x76ec0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameW, address_out = 0x76ec1420	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x76ec13a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExW, address_out = 0x76ec1400	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcesses, address_out = 0x76ec13c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleInformation, address_out = 0x76ec16a0	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\sihost.exe, file_name_orig = C:\Windows\System32\sihost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\explorer.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, file_name_orig = C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, file_name_orig = C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office 15\hadgdp.exe, file_name_orig = C:\Program Files\Microsoft Office 15\hadgdp.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\common files\mergerbass.exe, file_name_orig = C:\Program Files (x86)\Common Files\mergerbass.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows mail\italianbreakfast.exe, file_name_orig = C:\Program Files\Windows Mail\italianbreakfast.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office\merger raw.exe, file_name_orig = C:\Program Files\Microsoft Office\merger raw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\google\protein announcements processes.exe, file_name_orig = C:\Program Files (x86)\Google\protein announcements processes.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\internet explorer\cdt_expenditure_vincent.exe, file_name_orig = C:\Program Files\Internet Explorer\cdt_expenditure_vincent.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office 15\woundchristopher.exe, file_name_orig = C:\Program Files\Microsoft Office 15\woundchristopher.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows portable devices\irrigation_teach.exe, file_name_orig = C:\Program Files\Windows Portable Devices\irrigation_teach.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows portable devices\suspect promoting stroke.exe, file_name_orig = C:\Program Files\Windows Portable Devices\suspect promoting stroke.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows sidebar\piepokemon.exe, file_name_orig = C:\Program Files\Windows Sidebar\piepokemon.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows media player\fo deutsch.exe, file_name_orig = C:\Program Files (x86)\Windows Media Player\fo deutsch.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\google\complete_paso_altered.exe, file_name_orig = C:\Program Files (x86)\Google\complete_paso_altered.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\common files\array_matched_latitude.exe, file_name_orig = C:\Program Files\Common Files\array_matched_latitude.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows multimedia platform\segments-nhs-bee.exe, file_name_orig = C:\Program Files (x86)\Windows Multimedia Platform\segments-nhs-bee.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\reference assemblies\readily knives.exe, file_name_orig = C:\Program Files\Reference Assemblies\readily knives.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows portable devices\barry_slovenia_won.exe, file_name_orig = C:\Program Files (x86)\Windows Portable Devices\barry_slovenia_won.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windowspowershell\livearticle.exe, file_name_orig = C:\Program Files\WindowsPowerShell\livearticle.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows journal\inn_creation.exe, file_name_orig = C:\Program Files\Windows Journal\inn_creation.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\reference assemblies\demand_sony_leeds.exe, file_name_orig = C:\Program Files\Reference Assemblies\demand_sony_leeds.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows mail\optimize-dressing.exe, file_name_orig = C:\Program Files (x86)\Windows Mail\optimize-dressing.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhostw.exe, file_name_orig = C:\Windows\System32\taskhostw.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\System32\svchost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\backgroundtaskhost.exe, file_name_orig = C:\Windows\System32\backgroundTaskHost.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Sea Monkey\nss3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Vivaldi\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_READ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 2048, size_out = 2048	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 2048, size_out = 2048	1	Fn Data
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp, size = 2	1	Fn Data

Process #5: vbc.exe

185

Information	Value
ID	#5
File Name	c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:02:18, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xe1c
Parent PID	0xfcc (c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 190 0x 538

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	rw	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rw	-
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	rw	-
private_0x0000000000230000	0x00230000	0x0023ffff	Private Memory	rw	-
locale.nls	0x00240000	0x002fdfff	Memory Mapped File	r	-
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	rw	-
vbc.exe	0x00400000	0x0051efff	Memory Mapped File	rwx	-
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	rwx	-
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	r	-
private_0x00000000005b0000	0x005b0000	0x006affff	Private Memory	rw	-
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	r	-
private_0x00000000008a0000	0x008a0000	0x008affff	Private Memory	rw	-
pagefile_0x00000000008b0000	0x008b0000	0x01caffff	Pagefile Backed Memory	r	-
private_0x0000000001cb0000	0x01cb0000	0x01daffff	Private Memory	rw	-
private_0x0000000001e20000	0x01e20000	0x01e2ffff	Private Memory	rw	-
sortdefault.nls	0x01e30000	0x02166fff	Memory Mapped File	r	-
comctl32.dll	0x71ad0000	0x71b61fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73030000	0x73037fff	Memory Mapped File	rwx	-
wow64.dll	0x73040000	0x7308efff	Memory Mapped File	rwx	-
wow64win.dll	0x73090000	0x73102fff	Memory Mapped File	rwx	-
pstorec.dll	0x73110000	0x73117fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74a30000	0x74a88fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74a90000	0x74a99fff	Memory Mapped File	rwx	-
sspicli.dll	0x74aa0000	0x74abdfff	Memory Mapped File	rwx	-
user32.dll	0x74ad0000	0x74c0ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x74c10000	0x74c53fff	Memory Mapped File	rwx	-
advapi32.dll	0x74c60000	0x74cdafff	Memory Mapped File	rwx	-
powrprof.dll	0x74ce0000	0x74d23fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74d30000	0x74ea5fff	Memory Mapped File	rwx	-
comdlg32.dll	0x74eb0000	0x74f6dfff	Memory Mapped File	rwx	-
combase.dll	0x74f70000	0x75129fff	Memory Mapped File	rwx	-
kernel32.dll	0x75130000	0x7521ffff	Memory Mapped File	rwx	-
imm32.dll	0x75220000	0x7524afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x752b0000	0x752bbfff	Memory Mapped File	rwx	-
shell32.dll	0x752c0000	0x7667efff	Memory Mapped File	rwx	-
crypt32.dll	0x76680000	0x767f4fff	Memory Mapped File	rwx	-
windows.storage.dll	0x76800000	0x76cdcfff	Memory Mapped File	rwx	-
msctf.dll	0x76da0000	0x76ebffff	Memory Mapped File	rwx	-
ole32.dll	0x76f30000	0x77019fff	Memory Mapped File	rwx	-
sechost.dll	0x770b0000	0x770f2fff	Memory Mapped File	rwx	-
profapi.dll	0x77100000	0x7710efff	Memory Mapped File	rwx	-
msasn1.dll	0x771c0000	0x771cdfff	Memory Mapped File	rwx	-
shcore.dll	0x771d0000	0x7725cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772c0000	0x7736bfff	Memory Mapped File	rwx	-
gdi32.dll	0x77370000	0x774bcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x778d0000	0x7798dfff	Memory Mapped File	rwx	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ffaf7a0ffff	Private Memory	r	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x400000, size = 1024	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x401000, size = 71168	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x413000, size = 14848	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x417000, size = 3072	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x419000, size = 12288	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#1: c:\users\ciihmnxmn6ps\desktop\order ref ftp.exe	0xfd0	os_tid = 0x190, address = 0x0	1	Fn

Threads

Thread 0x190

185

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x71ad0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, function = InitCommonControlsEx, address_out = 0x71ad5000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x752c0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75564f00	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Thunderbird\Profiles, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Thunderbird, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x73110000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x73111290	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x76680000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x766caf50	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x74c60000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x74c958f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74c84010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x74c956b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74c95710	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x74c83950	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}, value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 56, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 56, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 56, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 56, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, data = lcfkj@kiekc.df, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, data = fgr, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Display Name, data = dkdjf kdil, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, data = lcfkj@kiekc.df, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, data = rgdr, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 114, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 114, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 114, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, data = 114, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 114, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 114, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 114, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x74c60000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x74c958f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74c84010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x74c956b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74c95710	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x74c83950	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x76680000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x766caf50	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x74c60000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x74c958f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x74c84010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x74c956b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x74c95710	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x74c83950	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 50	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 2	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 32	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 34	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 36	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 25	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 22	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 24	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 26	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 36	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 22	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 29	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 22	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 26	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 22	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 50	1	Fn Data
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp, size = 2	2	Fn Data

Monitored Processes

Behavior Information - Sequential View

Before

After