Analysis Report

Monitored Processes

Behavior Information - Sequential View

Process #1: tax tool.exe

(Host: 212, Network: 0)

Information	Value
ID / OS PID	#1 / 0x990
OS Parent PID	0x7cc (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe
Command Line	"C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe"
Monitor	Start Time: 00:00:37, Reason: Analysis Target
Unmonitor	End Time: 00:01:09, Reason: Terminated
Monitor Duration	00:00:32
OS Thread IDs	#1 0x7BC #2 0x9EC

Region

Name	Start VA	End VA	Type	Permissions	Actions
Tax Tool.exe	0x00140000	0x00163fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
private_0x0000000000820000	0x00820000	0x0083ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x0082ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000830000	0x00830000	0x00833fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00841fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00840fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000850000	0x00850000	0x00863fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000870000	0x00870000	0x008affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008b0000	0x008b0000	0x009affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x009b3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009c0000	0x009c0000	0x009c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a10000	0x00a10000	0x00a10fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a20000	0x00a20000	0x00a20fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000af0000	0x00af0000	0x00beffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00bf0000	0x00cadfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e60000	0x00e60000	0x00fe7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001050000	0x01050000	0x0105ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01060000	0x01396fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000013a0000	0x013a0000	0x01520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001530000	0x01530000	0x0292ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002930000	0x02930000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
wow64win.dll	0x64da0000	0x64e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x64e20000	0x64e6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x64e70000	0x64e77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74320000	0x74347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74350000	0x74359fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74360000	0x7438efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x74390000	0x743aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x743b0000	0x743c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x743d0000	0x74460fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74470000	0x744c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744d0000	0x744d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744e0000	0x744fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x745a0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x74660000	0x747acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x747b0000	0x75b6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b70000	0x75c1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dd0000	0x75f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75f10000	0x75f15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x75f20000	0x763fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76460000	0x7654ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76800000	0x768e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x769c0000	0x76adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76ae0000	0x76b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76d70000	0x76deafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x76df0000	0x76e7cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76e80000	0x76e8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76e90000	0x76ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x76fa0000	0x77115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x77120000	0x772d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77340000	0x7734efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77350000	0x7737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x77380000	0x773c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773d0000	0x77548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f700000	0x7f700000	0x7f7fffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f800000	0x7f800000	0x7f822fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f828000	0x7f828000	0x7f82afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f82b000	0x7f82b000	0x7f82dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f82e000	0x7f82e000	0x7f82efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f82f000	0x7f82f000	0x7f82ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffd2ef5ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffd2ef60000	0x7ffd2f121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffd2f122000	0x7ffd2f122000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0x7bc

(Host: 212, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76460000	1	Fn
MOD	GET_HANDLE	module_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, base_address = 0x140000	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x773d0000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address = 0x7742f090	1	Fn
MOD	GET_HANDLE	module_name = advapi32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = advapi32.dll, base_address = 0x76d70000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address = 0x774295f0	1	Fn
MOD	GET_HANDLE	module_name = shlwapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shlwapi.dll, base_address = 0x76ae0000	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data_ident_out = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId	1	Fn
MOD	GET_HANDLE	module_name = shell32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shell32.dll, base_address = 0x747b0000	1	Fn
MOD	GET_HANDLE	module_name = ole32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = ole32.dll, base_address = 0x76800000	1	Fn
MOD	LOAD	module_name = api-ms-win-core-com-l1-1-0, base_address = 0x77120000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\combase.dll, function = CLSIDFromString, address = 0x771d1390	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
MOD	GET_HANDLE	module_name = psapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = psapi.dll, base_address = 0x75f10000	1	Fn
MOD	GET_FILENAME	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, file_name = C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe, module_name = psapi.dll, os_pid = 0x990	1	Fn
MOD	GET_HANDLE	module_name = secur32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = secur32.dll, base_address = 0x74350000	1	Fn
MOD	LOAD	module_name = SSPICLI, base_address = 0x744e0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\sspicli.dll, function = GetUserNameExW, address = 0x744ec5f0	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
FILE	CREATE_DIR		1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
MOD	GET_FILENAME	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, file_name = C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe, module_name = secur32.dll, os_pid = 0x990	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\user32.dll, base_address = 0x75dd0000	1	Fn
KEYBOARD	GET_INFO	type = KB_LOCALE_ID	2	Fn
FILE	CREATE	file_name = vmgenerationcounter, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = hgfs, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = vmci, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	1	Fn
FILE	CREATE	file_name = vboxguest, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = vboxmouse, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = vboxvideo, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = vboxminirddn, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = vboxtrayipc, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1	Fn
MUTEX	CREATE	mutex_name = MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex, initial_owner = 0	1	Fn
FILE	CREATE	file_name = virtualmachineservices, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = prl_pv, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = prl_tg, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = prl_time, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\Description\System	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\Description\System, value_name = SystemBiosVersion, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\Description\System, value_name = SystemBiosVersion, data_ident_out = PTLTD - 6040000	1	Fn
FILE	CREATE	file_name = c:\popupkiller.exe, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\stimulator.exe, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\tools\execute.exe, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
MOD	LOAD	module_name = SbieDll.dll, base_address = 0x0	1	Fn
MUTEX	CREATE	mutex_name = Sandboxie_SingleInstanceMutex_Control, initial_owner = 0	1	Fn
MUTEX	CREATE	mutex_name = Frz_State, initial_owner = 0	1	Fn
FILE	CREATE	file_name = npf_ndiswanip, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76460000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = wine_get_unix_file_name, address = 0x0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\WINE	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\Software\WINE	1	Fn
FILE	CREATE	file_name = sice, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = siwvid, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = siwdebug, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = ntice, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = regvxg, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = filevxg, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = regsys, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = filem, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = trw, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = icext, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 4B000000D586D2D8AB6E07EC44CC9183, initial_owner = 0	1	Fn
MUTEX	OPEN	mutex_name = C0000000844EE6C40648470D345E7B65, desired_access = SYNCHRONIZE	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	7	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	7	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	7	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	7	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Narrator	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WAB	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Feeds	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WcmSvc	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Narrator	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fax	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wisp	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\FTP	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Unistore	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WcmSvc	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\UserData	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fax	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\FTP	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\PeerNet	2	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WAB	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Pim	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Java VM	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Poom	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\PeerNet	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WAB	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSF	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wisp	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WAB	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\PeerNet	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\SkyDrive	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fax	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\FTP	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\F12	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\FTP	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Osk	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\WcmSvc	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\SkyDrive	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cuxiy	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Java VM	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Hayfra	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Poom	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ygizgo	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data_ident_out = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
FILE	CREATE_DIR		1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, size = 124416	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, size = 124416	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player, desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
PROC	CREATE	process_name = "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe", os_tid = 0xbcc, os_pid = 0x84, creation_flags = CREATE_DEFAULT_ERROR_MODE, current_directory = C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming, show_window = SW_HIDE	1	Fn
SYS	SLEEP	duration = -1 (infinite)	1	Fn
MUTEX	RELEASE	mutex_name = 4B000000D586D2D8AB6E07EC44CC9183	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
FILE	WRITE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 208	1	Fn Data
PROC	CREATE	process_name = "C:\Windows\system32\cmd.exe" \c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat", os_tid = 0xcb0, os_pid = 0xcac, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn

Process #2: devices.exe

(Host: 83, Network: 0)

Information	Value
ID / OS PID	#2 / 0x84
OS Parent PID	0x990 (c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Name	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe
Command Line	"C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:01:09, Reason: Terminated
Monitor Duration	00:00:12
OS Thread IDs	#3 0xBCC #4 0x8E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
Devices.exe	0x00bd0000	0x00bf3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
private_0x0000000000c40000	0x00c40000	0x00c5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c40000	0x00c40000	0x00c4ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c50000	0x00c50000	0x00c53fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c61fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c60fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c70000	0x00c70000	0x00c83fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cd0000	0x00cd0000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000dd0000	0x00dd0000	0x00dd3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00de1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00df0000	0x00eadfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ef0000	0x00ef0000	0x00ef0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f00000	0x00f00000	0x00f00fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000f60000	0x00f60000	0x00f6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001050000	0x01050000	0x0114ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011f0000	0x011f0000	0x0127ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001280000	0x01280000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x014cffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x014d0000	0x01806fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001810000	0x01810000	0x01997fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000019a0000	0x019a0000	0x01b20fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b30000	0x01b30000	0x02f2ffff	Pagefile Backed Memory	Readable	Region Actions
wow64win.dll	0x64da0000	0x64e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x64e20000	0x64e6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x64e70000	0x64e77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74320000	0x74347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74350000	0x74359fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74360000	0x7438efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x74390000	0x743aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x743b0000	0x743c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x743d0000	0x74460fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74470000	0x744c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744d0000	0x744d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744e0000	0x744fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x745a0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x74660000	0x747acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x747b0000	0x75b6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b70000	0x75c1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dd0000	0x75f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75f10000	0x75f15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x75f20000	0x763fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76460000	0x7654ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76800000	0x768e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x769c0000	0x76adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76ae0000	0x76b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76d70000	0x76deafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x76df0000	0x76e7cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76e80000	0x76e8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76e90000	0x76ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x76fa0000	0x77115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x77120000	0x772d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77340000	0x7734efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77350000	0x7737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x77380000	0x773c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773d0000	0x77548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e3f0000	0x7e3f0000	0x7e4effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e4f0000	0x7e4f0000	0x7e512fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e513000	0x7e513000	0x7e513fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e518000	0x7e518000	0x7e518fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e51a000	0x7e51a000	0x7e51cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e51d000	0x7e51d000	0x7e51ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffd2ef5ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffd2ef60000	0x7ffd2f121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffd2f122000	0x7ffd2f122000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xbcc

(Host: 83, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76460000	1	Fn
MOD	GET_HANDLE	module_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, base_address = 0xbd0000	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x773d0000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address = 0x7742f090	1	Fn
MOD	GET_HANDLE	module_name = advapi32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = advapi32.dll, base_address = 0x76d70000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address = 0x774295f0	1	Fn
MOD	GET_HANDLE	module_name = shlwapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shlwapi.dll, base_address = 0x76ae0000	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data_ident_out = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId	1	Fn
MOD	GET_HANDLE	module_name = shell32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shell32.dll, base_address = 0x747b0000	1	Fn
MOD	GET_HANDLE	module_name = ole32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = ole32.dll, base_address = 0x76800000	1	Fn
MOD	LOAD	module_name = api-ms-win-core-com-l1-1-0, base_address = 0x77120000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\combase.dll, function = CLSIDFromString, address = 0x771d1390	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
MOD	GET_HANDLE	module_name = psapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = psapi.dll, base_address = 0x75f10000	1	Fn
MOD	GET_FILENAME	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, file_name = C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe, module_name = psapi.dll, os_pid = 0x990	1	Fn
MOD	GET_HANDLE	module_name = secur32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = secur32.dll, base_address = 0x74350000	1	Fn
MOD	LOAD	module_name = SSPICLI, base_address = 0x744e0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\sspicli.dll, function = GetUserNameExW, address = 0x744ec5f0	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
FILE	CREATE_DIR		1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 265	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 265	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 529	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 9C0000002CCF1F00ECD770C403E9DE7B, initial_owner = 1	1	Fn
MUTEX	OPEN	mutex_name = D20000002A14C6E52964F51932B9F49F, desired_access = SYNCHRONIZE	2	Fn
PROC	CREATE	process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_tid = 0x540, os_pid = 0x2ec, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
MUTEX	CREATE	mutex_name = 54000000F61A7DE2C294AD9653CFD4FD, initial_owner = 1	1	Fn
MEM	ALLOC	address = 0x4eb0000, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 147456, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE	1	Fn
MEM	WRITE	address = 0x4eb0000, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 147456	1	Fn Data
MEM	WRITE	address = 0x4ece724, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4	1	Fn Data
MEM	WRITE	address = 0x4ece840, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4	1	Fn Data
MEM	WRITE	address = 0x4ecee38, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4	1	Fn Data
THREAD	CREATE	process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, proc_address = 0x4ebc978, flags = THREAD_RUNS_IMMEDIATELY	1	Fn
MUTEX	OPEN	mutex_name = A1000000DA6AF38235D35BF570C2C4E9, desired_access = SYNCHRONIZE	2	Fn
PROC	CREATE	process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_tid = 0xc58, os_pid = 0xc54, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
MUTEX	CREATE	mutex_name = AD0000002B4477546D3A308A977C30F1, initial_owner = 1	1	Fn
MEM	ALLOC	address = 0x5b0000, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 147456, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE	1	Fn
MEM	WRITE	address = 0x5b0000, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 147456	1	Fn Data
MEM	WRITE	address = 0x5ce724, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4	1	Fn Data
MEM	WRITE	address = 0x5ce840, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4	1	Fn Data
MEM	WRITE	address = 0x5cee38, process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4	1	Fn Data
THREAD	CREATE	process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, proc_address = 0x5bc978, flags = THREAD_RUNS_IMMEDIATELY	1	Fn

Process #3: svchost.exe

(Host: 1960, Network: 1)

Information	Value
ID / OS PID	#3 / 0x2ec
OS Parent PID	0x84 (c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:02:38, Reason: Terminated by Timeout
Monitor Duration	00:01:40
OS Thread IDs	#5 0x540 #6 0x7E4 #7 0x24C #17 0xD4C #18 0xD50 #21 0xD6C #22 0xD70 #23 0xD74 #24 0xD78 #25 0xD7C #26 0xD80 #27 0xD84 #28 0xD88 #34 0xDA0 #35 0xDA4 #36 0xDAC

Region

Name	Start VA	End VA	Type	Permissions	Actions
svchost.exe	0x00900000	0x0090afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000db0000	0x00db0000	0x04daffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004db0000	0x04db0000	0x04dcffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004db0000	0x04db0000	0x04dbffff	Pagefile Backed Memory	Readable, Writable	Region Actions
svchost.exe.mui	0x04dc0000	0x04dc0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004dd0000	0x04dd0000	0x04dd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004dd0000	0x04dd0000	0x04dd0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004de0000	0x04de0000	0x04df3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004e00000	0x04e00000	0x04e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e40000	0x04e40000	0x04e7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004e80000	0x04e80000	0x04e83fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004e90000	0x04e90000	0x04e90fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004ea0000	0x04ea0000	0x04ea1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004eb0000	0x04eb0000	0x04ed3fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004ee0000	0x04ee0000	0x04f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ee0000	0x04ee0000	0x04efefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ee0000	0x04ee0000	0x04f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f20000	0x04f20000	0x04f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f20000	0x04f20000	0x04f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f60000	0x04f60000	0x04f9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004fa0000	0x04fa0000	0x04fdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004fe0000	0x04fe0000	0x04fe0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ff0000	0x04ff0000	0x04ff0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005000000	0x05000000	0x05003fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x05010000	0x050cdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000050d0000	0x050d0000	0x050e2fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000050d0000	0x050d0000	0x050d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
counters.dat	0x050e0000	0x050e0fff	Memory Mapped File	Readable, Writable	Region Actions Download
private_0x00000000050f0000	0x050f0000	0x050f6fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005100000	0x05100000	0x051fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005200000	0x05200000	0x052fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005300000	0x05300000	0x0533ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005340000	0x05340000	0x05340fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005340000	0x05340000	0x05352fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005340000	0x05340000	0x0534ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005350000	0x05350000	0x05350fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000005360000	0x05360000	0x05363fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005370000	0x05370000	0x053affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000053b0000	0x053b0000	0x053effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000053f0000	0x053f0000	0x053f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005400000	0x05400000	0x054fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005500000	0x05500000	0x0553ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005540000	0x05540000	0x0557ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005580000	0x05580000	0x055bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000055c0000	0x055c0000	0x055c4fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000055d0000	0x055d0000	0x055e2fff	Private Memory	Readable, Writable	Region Actions
mswsock.dll.mui	0x055d0000	0x055d2fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000055e0000	0x055e0000	0x055e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000055f0000	0x055f0000	0x055f0fff	Private Memory	Readable, Writable	Region Actions
crypt32.dll.mui	0x055f0000	0x055f9fff	Memory Mapped File	Readable	Region Actions
private_0x0000000005600000	0x05600000	0x057cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005600000	0x05600000	0x056fffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x05700000	0x05a36fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005a40000	0x05a40000	0x05bc7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005bd0000	0x05bd0000	0x05d50fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005d60000	0x05d60000	0x0715ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000007160000	0x07160000	0x0725ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007260000	0x07260000	0x0735ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007360000	0x07360000	0x0745ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007460000	0x07460000	0x0755ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007560000	0x07560000	0x0759ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000075a0000	0x075a0000	0x0769ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000076a0000	0x076a0000	0x076dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000076e0000	0x076e0000	0x077dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000077e0000	0x077e0000	0x077f2fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000077e0000	0x077e0000	0x0781ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007820000	0x07820000	0x0785ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007860000	0x07860000	0x0789ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007860000	0x07860000	0x07872fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007860000	0x07860000	0x07872fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007860000	0x07860000	0x07870fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000078a0000	0x078a0000	0x078dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000078e0000	0x078e0000	0x078f2fff	Private Memory	Readable, Writable	Region Actions
winnlsres.dll	0x078e0000	0x078e4fff	Memory Mapped File	Readable	Region Actions
winnlsres.dll.mui	0x078f0000	0x078fffff	Memory Mapped File	Readable	Region Actions
private_0x0000000007900000	0x07900000	0x0793ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007940000	0x07940000	0x0797ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000079a0000	0x079a0000	0x079a4fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007a00000	0x07a00000	0x07baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007a00000	0x07a00000	0x07afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007b00000	0x07b00000	0x07bfffff	Private Memory	Readable, Writable	Region Actions
wow64win.dll	0x64da0000	0x64e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x64e20000	0x64e6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x64e70000	0x64e77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncryptsslp.dll	0x73660000	0x73679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cabinet.dll	0x73680000	0x736a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x736b0000	0x73717fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x73720000	0x73733fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x73740000	0x73752fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptnet.dll	0x73760000	0x73785fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x73790000	0x737aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dpapi.dll	0x737b0000	0x737b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntasn1.dll	0x737c0000	0x737e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncrypt.dll	0x737f0000	0x7380ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mskeyprotect.dll	0x73810000	0x7381ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x73820000	0x7387ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73880000	0x73a88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x73a90000	0x73ad5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x73ae0000	0x73ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x73af0000	0x73b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x73b80000	0x73bcdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x73bd0000	0x73c76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73c80000	0x73c87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x73c90000	0x73cbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x73cc0000	0x73e1ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x73e20000	0x740e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x740f0000	0x74313fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74320000	0x74347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74350000	0x74359fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74360000	0x7438efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x74390000	0x743aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x743b0000	0x743c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
OnDemandConnRouteHelper.dll	0x743d0000	0x743e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x743f0000	0x74464fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74470000	0x744c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744d0000	0x744d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744e0000	0x744fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x745a0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x74660000	0x747acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x747b0000	0x75b6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b70000	0x75c1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dd0000	0x75f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75f10000	0x75f15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x75f20000	0x763fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x76400000	0x76452fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76460000	0x7654ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76550000	0x765e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x765f0000	0x76764fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x768f0000	0x768fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x76900000	0x76941fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76950000	0x76956fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76960000	0x769bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x769c0000	0x76adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76ae0000	0x76b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76d70000	0x76deafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x76df0000	0x76e7cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76e80000	0x76e8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76e80000	0x76e8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76e90000	0x76ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x76fa0000	0x77115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x77120000	0x772d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77340000	0x7734efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77350000	0x7737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x77380000	0x773c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773d0000	0x77548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007e7c2000	0x7e7c2000	0x7e7c4fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7c5000	0x7e7c5000	0x7e7c7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7c8000	0x7e7c8000	0x7e7cafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7cb000	0x7e7cb000	0x7e7cdfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7ce000	0x7e7ce000	0x7e7d0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7d1000	0x7e7d1000	0x7e7d3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7d4000	0x7e7d4000	0x7e7d6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7d7000	0x7e7d7000	0x7e7d9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7da000	0x7e7da000	0x7e7dcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e7dd000	0x7e7dd000	0x7e7dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007e7e0000	0x7e7e0000	0x7e8dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007e8e0000	0x7e8e0000	0x7e902fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e903000	0x7e903000	0x7e905fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e906000	0x7e906000	0x7e908fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e906000	0x7e906000	0x7e908fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e909000	0x7e909000	0x7e909fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e90b000	0x7e90b000	0x7e90dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e90e000	0x7e90e000	0x7e90efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfd2ef5ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfd2ef60000	0x7dfd2ef60000	0x7ffd2ef5ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffd2ef60000	0x7ffd2f121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffd2f122000	0x7ffd2f122000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x4eb0000, size = 147456	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x4ece724, size = 4	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x4ece840, size = 4	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x4ecee38, size = 4	1	Fn Data
Create Remote Thread	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x4ebc978, flags = THREAD_RUNS_IMMEDIATELY	1	Fn

Threads

Thread 0x7e4

(Host: 65, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	LOAD	module_name = KERNEL32.dll, base_address = 0x76460000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedIncrement, address = 0x76477520	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address = 0x764725e0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address = 0x76477910	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address = 0x7647d940	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address = 0x76479950	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedExchange, address = 0x76477650	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address = 0x7740da90	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address = 0x76477940	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address = 0x7647d8d0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address = 0x76479640	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address = 0x76472db0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedDecrement, address = 0x76477560	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address = 0x764777b0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address = 0x7740bae0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x773d0000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address = 0x7742f090	1	Fn
MOD	GET_HANDLE	module_name = advapi32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = advapi32.dll, base_address = 0x76d70000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address = 0x774295f0	1	Fn
MOD	GET_HANDLE	module_name = shlwapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shlwapi.dll, base_address = 0x76ae0000	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
MOD	GET_HANDLE	module_name = psapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = psapi.dll, base_address = 0x75f10000	1	Fn
MOD	GET_FILENAME	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, file_name = C:\Windows\SysWOW64\svchost.exe, module_name = psapi.dll, os_pid = 0x990	1	Fn
MUTEX	CREATE	mutex_name = D20000002A14C6E52964F51932B9F49F, initial_owner = 1	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\user32.dll, base_address = 0x75dd0000	1	Fn
MOD	GET_HANDLE	module_name = wininet.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = wininet.dll, base_address = 0x740f0000	1	Fn
MOD	GET_HANDLE	module_name = secur32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = secur32.dll, base_address = 0x74350000	1	Fn
MOD	LOAD	module_name = SSPICLI, base_address = 0x744e0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\sspicli.dll, function = GetUserNameExW, address = 0x744ec5f0	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 529	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1103	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	OPEN	mutex_name = 4B000000D586D2D8AB6E07EC44CC9183, desired_access = SYNCHRONIZE	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1103	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1361	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn

Thread 0xd6c

(Host: 122, Network: 1)

Category	Operation	Information	Count	Logfile
MUTEX	CREATE	mutex_name = D9000000F219E1C779E2E7AC08DFD815, initial_owner = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2193	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2451	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = D5000000C70E48D5408251026F4BDA97, initial_owner = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2967	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3225	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	WRITE_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	1	Fn Data
MUTEX	RELEASE	mutex_name = D5000000C70E48D5408251026F4BDA97	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 300	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 782	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1040	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1294	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1584	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MOD	GET_HANDLE	module_name = crypt32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = crypt32.dll, base_address = 0x765f0000	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data_ident_out = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = DigitalProductId	1	Fn
MOD	GET_HANDLE	module_name = urlmon.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = urlmon.dll, base_address = 0x73cc0000	1	Fn
INET	OPEN_CONNECTION		1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4591	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4808	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4808	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 5066	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 5066	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 5303	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn

Thread 0xd70

(Host: 231, Network: 0)

Category	Operation	Information	Count	Logfile
MUTEX	CREATE	mutex_name = 7D0000008AA73D983C6DEAFF4C3848A7, initial_owner = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2451	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2709	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3485	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3743	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 558	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 782	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1040	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1294	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1584	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1842	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1842	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2080	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2080	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2338	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2338	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2593	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2593	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2851	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2851	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3089	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3089	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3344	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3344	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3602	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3602	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3840	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3840	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4095	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4095	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4353	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4353	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 4591	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn

Thread 0xd74

(Host: 36, Network: 0)

Category	Operation	Information	Count	Logfile
MUTEX	CREATE	mutex_name = 3B000000F5DFE9C2D11C32931F7D5BB4, initial_owner = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2709	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2967	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
FILE	MOVE	destination_file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp, source_file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe	1	Fn
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 300	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 558	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
SYS	SLEEP	duration = 60000 milliseconds (60.000 seconds)	1	Fn

Thread 0xd78

(Host: 1445, Network: 0)

Category	Operation	Information	Count	Logfile
MUTEX	CREATE	mutex_name = C0000000844EE6C40648470D345E7B65, initial_owner = 0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\program files\windows defender\mpcmdrun.exe, os_pid = 0xde0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\dwm.exe, os_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\spoolsv.exe, os_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sihost.exe, os_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\taskhostw.exe, os_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\explorer.exe, os_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\runtimebroker.exe, os_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe, os_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe, os_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\svchost.exe, os_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiadap.exe, os_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\sppsvc.exe, os_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wbem\wmiprvse.exe, os_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\audiodg.exe, os_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATION	2	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\svchost.exe, os_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\backgroundtaskhost.exe, os_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = System Idle Process, os_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = System, os_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\smss.exe, os_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\wininit.exe, os_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\csrss.exe, os_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\winlogon.exe, os_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\services.exe, os_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATION	1	Fn
For performance reasons, the remaining 408 entries are omitted. Click to download all 1408 entries as text file (1.07 MB).

Thread 0xd7c

(Host: 61, Network: 0)

Category	Operation	Information	Count	Logfile
MUTEX	CREATE	mutex_name = 4A000000AF17366BF4960AE62A76878C, initial_owner = 0	1	Fn
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	1	Fn
REG	WRITE_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run, value_name = Devices.exe, data = "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3225	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 3485	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe, size = 124416	1	Fn Data
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlEnterCriticalSection, address = 0x77415e80	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlLeaveCriticalSection, address = 0x77415e00	1	Fn
SYS	SLEEP	duration = -1 (infinite)	39	Fn
SYS	SLEEP	duration = -1 (infinite)	1	Fn

Process #4: svchost.exe

(Host: 82, Network: 0)

Information	Value
ID / OS PID	#4 / 0xc54
OS Parent PID	0x84 (c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Monitor	Start Time: 00:01:04, Reason: Child Process
Unmonitor	End Time: 00:02:38, Reason: Terminated by Timeout
Monitor Duration	00:01:34
OS Thread IDs	#8 0xC58 #9 0xC5C #10 0xC64 #19 0xD54 #20 0xD58 #29 0xD8C #30 0xD90 #31 0xD94 #32 0xD98 #33 0xD9C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000004b0000	0x004b0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x004bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
svchost.exe.mui	0x004c0000	0x004c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004d0000	0x004d0000	0x004d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x004d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x004f3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000500000	0x00500000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00583fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00590fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005a0000	0x005a0000	0x005a1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005b0000	0x005b0000	0x005d3fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000005e0000	0x005e0000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000620000	0x00620000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000660000	0x00660000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006b6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006c0000	0x006c0000	0x006fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x007fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00800000	0x008bdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008c0fff	Private Memory	Readable, Writable, Executable	Region Actions
svchost.exe	0x00900000	0x0090afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x0490ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004a10000	0x04a10000	0x04a13fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ae0000	0x04ae0000	0x04ae3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b00000	0x04b00000	0x04bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004c00000	0x04c00000	0x04cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e10000	0x04e10000	0x04e14fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f00000	0x04f00000	0x0501ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f00000	0x04f00000	0x04ffffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x05000000	0x05336fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005340000	0x05340000	0x054c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000054d0000	0x054d0000	0x05650fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005660000	0x05660000	0x06a5ffff	Pagefile Backed Memory	Readable	Region Actions
wow64win.dll	0x64da0000	0x64e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x64e20000	0x64e6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x64e70000	0x64e77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x740f0000	0x74313fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74320000	0x74347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74350000	0x74359fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74360000	0x7438efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x74390000	0x743aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x743b0000	0x743c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74470000	0x744c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744d0000	0x744d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744e0000	0x744fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x745a0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x74660000	0x747acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b70000	0x75c1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dd0000	0x75f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75f10000	0x75f15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76460000	0x7654ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x769c0000	0x76adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76ae0000	0x76b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76d70000	0x76deafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76e90000	0x76ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x76fa0000	0x77115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x77120000	0x772d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77350000	0x7737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773d0000	0x77548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f370000	0x7f370000	0x7f46ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f470000	0x7f470000	0x7f492fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f494000	0x7f494000	0x7f496fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f497000	0x7f497000	0x7f499fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f49a000	0x7f49a000	0x7f49afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f49c000	0x7f49c000	0x7f49efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f49f000	0x7f49f000	0x7f49ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfd2ef5ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfd2ef60000	0x7dfd2ef60000	0x7ffd2ef5ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffd2ef60000	0x7ffd2f121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffd2f122000	0x7ffd2f122000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x5b0000, size = 147456	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x5ce724, size = 4	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x5ce840, size = 4	1	Fn Data
Modify Memory	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x5cee38, size = 4	1	Fn Data
Create Remote Thread	c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe	0xbcc	address = 0x5bc978, flags = THREAD_RUNS_IMMEDIATELY	1	Fn

Threads

Thread 0xc5c

(Host: 72, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	LOAD	module_name = KERNEL32.dll, base_address = 0x76460000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedIncrement, address = 0x76477520	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address = 0x764725e0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address = 0x76477910	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address = 0x7647d940	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address = 0x76479950	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedExchange, address = 0x76477650	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address = 0x7740da90	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address = 0x76477940	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address = 0x7647d8d0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address = 0x76479640	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address = 0x76472db0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedDecrement, address = 0x76477560	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address = 0x764777b0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address = 0x7740bae0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x773d0000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address = 0x7742f090	1	Fn
MOD	GET_HANDLE	module_name = advapi32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = advapi32.dll, base_address = 0x76d70000	1	Fn
MOD	LOAD	module_name = NTDLL, base_address = 0x773d0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address = 0x774295f0	1	Fn
MOD	GET_HANDLE	module_name = shlwapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = shlwapi.dll, base_address = 0x76ae0000	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
MOD	GET_HANDLE	module_name = psapi.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = psapi.dll, base_address = 0x75f10000	1	Fn
MOD	GET_FILENAME	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, file_name = C:\Windows\SysWOW64\svchost.exe, module_name = psapi.dll, os_pid = 0x990	1	Fn
MUTEX	CREATE	mutex_name = A1000000DA6AF38235D35BF570C2C4E9, initial_owner = 1	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\user32.dll, base_address = 0x75dd0000	1	Fn
MOD	GET_HANDLE	module_name = wininet.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = wininet.dll, base_address = 0x740f0000	1	Fn
MOD	GET_HANDLE	module_name = secur32.dll, base_address = 0x0	1	Fn
MOD	LOAD	module_name = secur32.dll, base_address = 0x74350000	1	Fn
MOD	LOAD	module_name = SSPICLI, base_address = 0x744e0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\sspicli.dll, function = GetUserNameExW, address = 0x744ec5f0	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1361	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1935	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	OPEN	mutex_name = 4B000000D586D2D8AB6E07EC44CC9183, desired_access = SYNCHRONIZE	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Onpiwaad	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
MUTEX	CREATE	mutex_name = 8A000000B7496798F6145935AA3E2760, initial_owner = 0	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeSecurityPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilege	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 1935	1	Fn Data
FILE	CREATE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	WRITE	file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe, size = 2193	1	Fn Data
MUTEX	RELEASE	mutex_name = 8A000000B7496798F6145935AA3E2760	1	Fn
MUTEX	CREATE	mutex_name = D5000000C70E48D5408251026F4BDA97, initial_owner = 0	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
REG	CREATE_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	WRITE_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	1	Fn Data
MUTEX	RELEASE	mutex_name = D5000000C70E48D5408251026F4BDA97	1	Fn

Thread 0xd8c

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
MUTEX	CREATE	mutex_name = C0000000844EE6C40648470D345E7B65, initial_owner = 0		1	Fn

Thread 0xd90

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
MUTEX	CREATE	mutex_name = 4A000000AF17366BF4960AE62A76878C, initial_owner = 0		1	Fn

Thread 0xd94

(Host: 4, Network: 0)

Category	Operation	Information	Count	Logfile
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
SYS	SLEEP	duration = -1 (infinite)	1	Fn

Thread 0xd98

(Host: 4, Network: 0)

Category	Operation	Information	Count	Logfile
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabo, value_name = Vipoug	2	Fn Data
SYS	SLEEP	duration = -1 (infinite)	1	Fn

Process #5: cmd.exe

(Host: 88, Network: 0)

Information	Value
ID / OS PID	#5 / 0xcac
OS Parent PID	0x990 (c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\system32\cmd.exe" /c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat"
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:01:21, Reason: Terminated
Monitor Duration	00:00:12
OS Thread IDs	#11 0xCB0 #16 0xD00

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000000e0000	0x000e0000	0x000fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00101fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00103fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00123fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00273fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00291fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00420000	0x004ddfff	Memory Mapped File	Readable	Region Actions
private_0x00000000004e0000	0x004e0000	0x005dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
cmd.exe	0x009c0000	0x00a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000a10000	0x00a10000	0x04a0ffff	Pagefile Backed Memory	-	Region Actions
wow64win.dll	0x64da0000	0x64e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x64e20000	0x64e6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x64e70000	0x64e77fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cmdext.dll	0x74460000	0x74467fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74470000	0x744c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744d0000	0x744d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744e0000	0x744fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x745a0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b70000	0x75c1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76460000	0x7654ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76d70000	0x76deafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76e90000	0x76ed2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x76fa0000	0x77115fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773d0000	0x77548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e9f0000	0x7e9f0000	0x7eaeffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007eaf0000	0x7eaf0000	0x7eb12fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007eb16000	0x7eb16000	0x7eb16fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007eb18000	0x7eb18000	0x7eb1afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007eb1b000	0x7eb1b000	0x7eb1bfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007eb1d000	0x7eb1d000	0x7eb1ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfd2ef5ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfd2ef60000	0x7dfd2ef60000	0x7ffd2ef5ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffd2ef60000	0x7ffd2f121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffd2f122000	0x7ffd2f122000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xcb0

(Host: 88, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x9c0000	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76460000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address = 0x764a2780	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	3	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	2	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 80	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 64	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 9	1	Fn
MOD	GET_FILENAME	file_name = C:\Windows\SysWOW64\cmd.exe	1	Fn
PROC	SET_CURDIR	process_name = c:\windows\syswow64\cmd.exe, os_pid = 0xcac, new_path_name = c:\users\wi2yhmti onvscy7pe\desktop	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76460000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address = 0x7647fa80	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address = 0x7647a790	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address = 0x770b35c0	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	3	Fn
FILE	READ	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 8191	1	Fn Data
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	2	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	3	Fn
FILE	READ	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 8191	1	Fn Data
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	2	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	3	Fn
FILE	READ	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 8191	1	Fn Data
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	2	Fn
FILE	OPEN	file_name = c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, desired_access = DELETE, share_mode = FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	3	Fn
FILE	READ	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 8191	1	Fn Data
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	2	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	3	Fn
FILE	READ	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, size = 8191	1	Fn Data
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat	2	Fn
FILE	OPEN	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = DELETE, share_mode = FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn
FILE	CREATE	file_name = c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
FILE	OPEN	file_name = STD_ERROR_HANDLE	3	Fn
FILE	WRITE	file_name = STD_ERROR_HANDLE, size = 33	1	Fn Data
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn