XZZX Cryptomix Ransomware Variant

Monitored Processes

Behavior Information - Sequential View

Process #1: xzzx_cryptmix.vir.exe

(Host: 6333, Network: 0)

Information	Value
ID	#1
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:11, Reason: Analysis Target
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:10

OS Process Information

Information	Value
PID	0x9c4
Parent PID	0x560 (c:\programdata\bce1010314.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9C8 0x 9CC 0x 9D0 0x 9D4 0x 9D8 0x 9DC 0x 9E0 0x 9E8 0x 9F0 0x 9F4 0x 9FC 0x A04 0x A08 0x A0C 0x A14 0x A18 0x A24 0x A30 0x A4C 0x A6C 0x A80 0x A9C 0x AB0 0x AF4 0x B1C 0x BF0 0x BF4 0x BF8 0x BFC 0x 804 0x 814 0x 824 0x 834 0x 3FC 0x 7EC 0x 844 0x 888 0x 89C 0x 868 0x 864 0x 250 0x 624 0x 63C 0x 700 0x 5D8 0x 5F8 0x 550 0x 72C 0x 43C 0x 260 0x 850 0x 6F0 0x 5DC 0x 660 0x 8D0 0x 8D4 0x 3A8 0x 7B0 0x 794 0x 57C 0x 608 0x 530 0x 8DC 0x 8D8 0x 8A8 0x 8FC 0x 328 0x 218 0x 540 0x 910 0x 91C 0x 908 0x 8F4 0x 60C 0x 8EC 0x 744 0x 8E8 0x 8E4 0x 950 0x 95C 0x 968 0x 984 0x 9A0 0x 940 0x 92C 0x 99C 0x 934 0x 930 0x 8F0 0x 900 0x 8E0 0x 928 0x 938 0x 944 0x 998 0x 94C 0x 954 0x 924 0x 994 0x 990 0x 98C 0x 980 0x 9C0 0x 8F8 0x 914 0x 920 0x 380 0x 884 0x 9F8 0x 880 0x 878 0x 87C 0x 88C 0x 870 0x A30 0x A40 0x A74 0x AA4 0x AB0 0x AF4 0x 638 0x B24 0x 97C 0x B10 0x AE8 0x B4C 0x B1C 0x B08 0x B44 0x AE0 0x B48 0x B38 0x B58 0x B2C 0x B5C 0x AB4 0x A2C 0x B78 0x 978 0x 9BC 0x A58 0x ACC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00200000	0x00200fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002e0000	0x002e0000	0x002e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x003f0000	0x00456fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x01b7ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001b80000	0x01b80000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01cdefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ce0000	0x01ce0000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions
cversions.1.db	0x01d20000	0x01d23fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d20000	0x01d20000	0x01d20fff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db	0x01d30000	0x01d4dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d50000	0x01d50000	0x01d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e60000	0x01e60000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01ea0000	0x01edbfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x01ea0000	0x01edbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01edffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001ee0000	0x01ee0000	0x01ee0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001ef0000	0x01ef0000	0x01f2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f30000	0x01f30000	0x02322fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002330000	0x02330000	0x0242ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002430000	0x02430000	0x0246ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002470000	0x02470000	0x024affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x024b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024c0000	0x024c0000	0x024c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x024dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024e0000	0x024e0000	0x025dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025e0000	0x025e0000	0x026a7fff	Private Memory	Readable, Writable, Executable	Region Actions
sortdefault.nls	0x026b0000	0x0297efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002980000	0x02980000	0x02a7ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02a80000	0x02b3ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002b40000	0x02b40000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c80000	0x02c80000	0x02d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d80000	0x02d80000	0x02d80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d90000	0x02d90000	0x02d90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002da0000	0x02da0000	0x02e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ea0000	0x02ea0000	0x02ea0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002eb0000	0x02eb0000	0x02eb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ec0000	0x02ec0000	0x02ec0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ed0000	0x02ed0000	0x02ed0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ee0000	0x02ee0000	0x02ee0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ef0000	0x02ef0000	0x02ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f00000	0x02f00000	0x02f00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f10000	0x02f10000	0x02f10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f20000	0x02f20000	0x0301ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003020000	0x03020000	0x03020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003030000	0x03030000	0x03030fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003040000	0x03040000	0x03040fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003050000	0x03050000	0x03050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003060000	0x03060000	0x03060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003070000	0x03070000	0x03070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003080000	0x03080000	0x03080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003090000	0x03090000	0x03090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030a0000	0x030a0000	0x030a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030b0000	0x030b0000	0x030effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030f0000	0x030f0000	0x031effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031f0000	0x031f0000	0x031f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003200000	0x03200000	0x03200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003210000	0x03210000	0x03210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003220000	0x03220000	0x03220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003230000	0x03230000	0x03230fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003240000	0x03240000	0x03240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003250000	0x03250000	0x03250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003260000	0x03260000	0x03260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003270000	0x03270000	0x032affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032b0000	0x032b0000	0x033affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033b0000	0x033b0000	0x033b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033c0000	0x033c0000	0x033c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033d0000	0x033d0000	0x033d0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d40000	0x03d40000	0x03d40fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000003e50000	0x03e50000	0x03e8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003e50000	0x03e50000	0x03e8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003e90000	0x03e90000	0x03f8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003e90000	0x03e90000	0x03f8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004080000	0x04080000	0x04080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004080000	0x04080000	0x04080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004090000	0x04090000	0x04090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004090000	0x04090000	0x04090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000040a0000	0x040a0000	0x040dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000040e0000	0x040e0000	0x040e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000040f0000	0x040f0000	0x040f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004100000	0x04100000	0x0413ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004140000	0x04140000	0x04140fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004150000	0x04150000	0x04150fff	Private Memory	Readable, Writable	Region Actions Download Dump
boot.sdi	0x041d0000	0x044acfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x00000000044b0000	0x044b0000	0x045affff	Private Memory	Readable, Writable	Region Actions Download Dump
winre.wim	0x045b0000	0x0488cfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x0000000004890000	0x04890000	0x0498ffff	Private Memory	Readable, Writable	Region Actions Download Dump
xzzx_cryptmix.vir.exe	0x55820000	0x5585bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74b40000	0x74bbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74cb0000	0x74cd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74ce0000	0x74dd4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74de0000	0x74e1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e20000	0x74e35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74e40000	0x74fddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x74fe0000	0x74fe7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74ff0000	0x75005fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75000000	0x7500dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75010000	0x75017fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pdh.dll	0x75020000	0x7505bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75060000	0x750e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75260000	0x753bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75640000	0x75651fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75750000	0x757defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x757e0000	0x76429fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x76660000	0x76686fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76900000	0x76982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x76da0000	0x76e1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76eb0000	0x76ef4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77000000	0x7719cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x771a0000	0x771f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef83000	0x7ef83000	0x7ef85fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef86000	0x7ef86000	0x7ef88fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef89000	0x7ef89000	0x7ef8bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef89000	0x7ef89000	0x7ef8bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 144 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\programdata\bce1010314.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\bce1010314.exe	218.00 KB (223232 bytes)	MD5: 17f54288695fc46d11078ea493eb6626 SHA1: 548058b2233b75cdfd964c1d7be5d2b80818131a SHA256: 33a60a16e50b8df2a731023951475ff0f973fc66334d2cfa6ce30aa36bb36414	File Actions Show Properties Download
c:\programdata\bce1010314.exe:zone.identifier	0.02 KB (23 bytes)	MD5: 8d251dc834ad2282d59cb08f2152a8f7 SHA1: 1ccec082f8ccbe367cfad62f04566e337255943a SHA256: f1556a2096b4e834c3b91c637c2f5fb10fb4f2319b6c5f3143db2ce61774318d	File Actions Show Properties Download
c:\programdata\f06c3c509054x0b7d28zcddbb17087b9c3e.xzzx	0.26 KB (271 bytes)	MD5: 014c2e239ac9d84fac5f9bb42deeca6f SHA1: 54fb44cfaebd5bbf5036abc28d65c075a858081a SHA256: 9b87d898f5440a63eea60dfc4b6de79112230b0aa6ab6a91104cb99abf257aeb	File Actions Show Properties Download
c:\b0ad3ab92537b4fbfe37930729309943.xzzx	8.16 KB (8359 bytes)	MD5: 07a6cac5168cad26dc6df34d16ea41a0 SHA1: 5c9327703ea5961e21d83b9e8ee3a0128ceed4e0 SHA256: 710cd6b5104f65527a604839abdfec6f5881c212970f224ae6423482d62aaf47	File Actions Show Properties Download
c:\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\$recycle.bin\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\boot\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\config.msi\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\msocache\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\msocache\all users\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\perflogs\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\perflogs\admin\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\program files\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\program files (x86)\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\programdata\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\recovery\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\_private\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\outlook files\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\downloads\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\links\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\links\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\d2d9507033a5e4db82b20d90383ec923.xzzx	0.33 KB (339 bytes)	MD5: 7037a481becf39b4f592c93948efe34f SHA1: 5cad49112c4837b7119b18c3c5b5fa356766b931 SHA256: 310e13e9ecedea999daf2c93a008da53f5c4d600015c09b58cde61601e2a418d	File Actions Show Properties Download
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\6b2db7ff0f9811b2cfadc1531390f5fa.xzzx	3.02 MB (3170463 bytes)	MD5: 149039c782d26be150787a53c60b0fb8 SHA1: 5bad17c6f209bdebb28e1606fa9f14ece3dffeb3 SHA256: dfb87c3b75ba2525237c00a764bff401e5e8b03ff4ef2c6fcfa72626fbcc7515	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\97978e0428d9bcbb43314afc2cd2a103.xzzx	0.18 KB (183 bytes)	MD5: 060420bac4839cf5f19c38943a7b16bb SHA1: d2affbf9da4a069003d22b618a23d512dfcd3059 SHA256: c1d7b12aab67d3f367d0263b6dbbd4f4ef8cb5c4be639a8f8c69b020592f41bd	File Actions Show Properties Download
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\8515860f00f2a87f630c5931054d8cc7.xzzx	10.00 MB (10485760 bytes)	MD5: 7af68820a4f620b83c4406bd45612a54 SHA1: 39216ecbbd1a8402bbf9c24ab0933a15c80d0d18 SHA256: 2be045ba74174227aea2172dc348655bd52185d0f3587708df15a3362272e895	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\8dff43342c68841c83bde75d30616864.xzzx	1.33 KB (1367 bytes)	MD5: da93b53581ea1df548127c7aa3cf7beb SHA1: 9ab045eb1bedaf584ebfde0d1bf46019ae1ff049 SHA256: 69c84ce8d01c7e761d477281f27d618bc0c4fff56157ca43449725898de4fd4f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\fd82d02831f226b04645120f361f0af8.xzzx	66.96 KB (68567 bytes)	MD5: 02fec1c5dc7e2590a9765b6fb3f32932 SHA1: 3a7cc5153a6dd097f030de730922774f34339d9c SHA256: 1df186e7f72c994ad087878f1516afcc919c5aa93c4fd91e516a434439678998	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\3180d48c036a6faaa02e258a076353f2.xzzx	1.32 KB (1356 bytes)	MD5: fa1b1293b91e27d93f13b23f4da472c3 SHA1: 7ee455e5a6aebb6facc9abc6743db788bb75a555 SHA256: 776dd0b99dd4b18c6265d5bb97ddfa56f0cfa625e31fd473a52b94ea3d8e32eb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\278d60903b72bf40f401616c3fafa388.xzzx	1.33 KB (1360 bytes)	MD5: 19ee4889b17d055dc24c0f0f206421e9 SHA1: 33cad01020d2bbbe4199037fc04b4b5c77ba5892 SHA256: 2df685df86595f3d205c6fc460fac4581945380ead55c28c69f18986b722a671	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\63ab35ad17277526536f22e31b54596e.xzzx	0.56 KB (577 bytes)	MD5: 28b81e6b09f2ff1a42abc265088acd62 SHA1: e6ae4d4422f09b686e3a61823b6144e5b8314504 SHA256: 64756fa5d348dbbac0cb09b1558b567d609e96da8f6ab42c7097173f9385bcf5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\8c424c551a76d4366f1622171e8eb87e.xzzx	1.33 KB (1359 bytes)	MD5: 5f293f0eac5fb35c56b22fac54dff248 SHA1: b5cd478953c437ab45228eaeb2c684311bcf8e84 SHA256: 085dbc6bcc60b670175cb26ebaa343e17839c81d83a03679dfc9e6cb2f7b4630	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\contacts\4c9e88000cb6cc7042ef328010e3b0b8.xzzx	1.33 KB (1357 bytes)	MD5: c608d3534822e866482d2809a64ad4b6 SHA1: e28d66870811eef28a97c960283640d9222c2b66 SHA256: df37dbc3f9cd57a3a011091a152a8f1373befbdb90d3f49866dfa344dbf246df	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\be3510781871306d58a0b1081c6a14b5.xzzx	19.62 KB (20094 bytes)	MD5: 1f9aa5313695ddf23958e6e3aad848e1 SHA1: 867e6960318877424c46921bb9099f2091b4815a SHA256: 2b4d200af3e59617ca142cf4e27a567cecd825afd291285002ae45cade56aa28	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\2ffb243e16646ff464f688111a91543c.xzzx	60.79 KB (62253 bytes)	MD5: d4530ca468ffb9f183eee5966b298d7e SHA1: deba00eeee77048da93c5651b154d6e7687d29dc SHA256: 31792954e1c5db412ca8299f714c44da70e4f54384d205da328568f585a51329	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\b34c34b41ec5682f9cb9477c22be4c77.xzzx	80.71 KB (82644 bytes)	MD5: dfa04f94f8ea24a531e3aedd827d5fbf SHA1: a94fc7b6168efeb964274c5c21df2f66129e9cdd SHA256: 50aab8c08843ece8b6839c1beb894dcb7d01129082dbeccf4da1555e5567e1d1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\96e8bc382a82756a96f374bc2e7b59b2.xzzx	82.19 KB (84167 bytes)	MD5: baa927d05899846d8128dc2652f0e1da SHA1: d04117b3bfc926ffb1316414491ce45ba0d0566d SHA256: 228a91cc95b34fbbd3c292d9c9346bce79c5b72c74a4591ca9187641d94db3b1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\a9467a821967f20598e66b961d60d64d.xzzx	33.96 KB (34775 bytes)	MD5: 0f462d7d5044e27c97479f358c7d6aef SHA1: ef4f52ac12f97d90194971548fb3a301fbdcabb4 SHA256: 9d992da6f514be3948454579b41360236ef3a1b0fbefe266d0ef588449544ade	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\d8b4fbc032e124e029e6603236da0928.xzzx	44.68 KB (45755 bytes)	MD5: 1171ed3b0ffcf3aa020cd28ee83e9eb7 SHA1: 093b6525b6355efd8b32572410702ac540d2e9c1 SHA256: 325163f38c746bd100fa9fe1cf1333a6b874bee390629ed76498e94778fc5fa4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\af137d37318f929fc9ec733b358876e7.xzzx	57.54 KB (58924 bytes)	MD5: 82004c86021c94d53032ecfdb83f370e SHA1: d0881ed00484ca79cda816c05d458a8ea77d70fc SHA256: 5036fdce40bbb4c0f0249f19ae68c26b02a600299b4bb7caba155e7512ed9320	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\e1cb2de23002b20e4903a282342f9656.xzzx	57.42 KB (58797 bytes)	MD5: e2cfc66de56f175d38c1aa7a8d5011c0 SHA1: c527d2339c52dc25cdde7ddc9f3711c3cb586316 SHA256: bd4f6687a6d0a7dd0b3b93663de82a17b724a6a6aee8982d0b4973438bf7abc2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\5a5e8816436aba61c7ec8f1a47a79ea9.xzzx	0.55 KB (567 bytes)	MD5: e5568878364ee557ace58675f1ca50aa SHA1: f024ff6f307dd504aad45a548789f393cc4e05ab SHA256: b3f6f5113c93892024223b4188734833668fd7bc782a6367c645dd7352be6cfe	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\4ca2a3b835a9c9d86061764339f6ae20.xzzx	42.86 KB (43890 bytes)	MD5: 6e6f0daf10918d01e72c4d8002373d8c SHA1: 72dd2b94f3b8c6c3dfed7534dcf5647f1ede90a1 SHA256: 2c3552ae0fdd0bcf0ba05689550fa13217be85aa9df2bfe5a77aafac73ae5d46	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\7e0556c23257a27a640f901f368486c2.xzzx	40.36 KB (41328 bytes)	MD5: 28f4829c79f4eec9fd7cddfd060f07aa SHA1: a7a666ad57dc3812867c7ea853ff4d797375c53a SHA256: e7c311f2d14407fa76d5b422b37eb0e35f7acf8bd15d0a514c7a0750b4b664b8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\d4132cc416066089c413f0dc1a1e44d1.xzzx	65.07 KB (66630 bytes)	MD5: 79f69f3bcdca8095e7f6242ea2dbde8a SHA1: 882cfdde487ca0c545d3e2463f92b21ab81e63fa SHA256: a4fcc7926a4c315a43245ed461e015e0b74a3ff71915a2bca221a419c48cb6d0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\b8f78ce2222013c8ff50021b265cf810.xzzx	1.92 KB (1968 bytes)	MD5: 860c337e5dfb49521db578df71f496d3 SHA1: 5d13c2e47f9200f5a47c97e1838f172dea682d1f SHA256: ff1f9af96be15a21138d7de11a6d58e7b5fd60fac22a7635a31dd669c44d04f6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\2f2ebad63a6e51cf01e49d9e3e863617.xzzx	64.68 KB (66232 bytes)	MD5: c8875444c336fb900e594143f0b53e78 SHA1: 245e99cc9fe8fbbb06fd17c5e98f77d0fe7a8226 SHA256: ae122938e7e7a67e4f77917903a6c6eb90df1450190cb57eefe10b92c8d353f8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\5f3f59042cd153ccc290441930fe3814.xzzx	6.63 KB (6786 bytes)	MD5: 068b4f214d2a568168bf785f95037b7e SHA1: 23112502950dcc498590a4d0b5afd344fda6e51e SHA256: 3f11eb5d5f05c27f29bcd0543c107f01af353ae96a54f2afd622e8ab43b00b08	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\d7ddfdc32cf119c87b5bfa373108fe10.xzzx	83.78 KB (85791 bytes)	MD5: add410986e6e80f02e2175724e40b0ab SHA1: 35f59bd3a3a5c1361980b9433a149cf01d64d1b2 SHA256: 76181db8f9f4a1b80e3ef56b4190fa960d40ff0a080390e446b4992bf472fb83	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\bb3cccbc286641fc324d4a8b2c932644.xzzx	94.35 KB (96613 bytes)	MD5: 7c71fcc1c1df2874bd7e0a15236ab206 SHA1: 280387cabd31fb7714a6e4dfb6d5c6dd16c05f5c SHA256: fb690f762dc185a23f6dcaf85ac73638fc9c6bfba4915713d8cd56cbf1c56d72	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\b0407b59334cdcaf9e2ca2e33779c0f7.xzzx	15.63 KB (16010 bytes)	MD5: 4e2e176d209ff6f708568125d1c4ce8d SHA1: 66d11069b0d956233f44f832d95eba3533a124a1 SHA256: be2aa830518ca712f57ae92259a29fdc807c9d9d3cc0adc084bb6addc51b7ba0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ee9b10b00f697ce4836159f013d6612c.xzzx	79.06 KB (80954 bytes)	MD5: e5a22f5c0a824e162937a9d7b5cff37e SHA1: 9982ef4bb4be4bbd86b9ce2be0407ac663dba358 SHA256: a69df84dcfdb681257231df2a3d7a190cfecde3d0973165927c8bd85462c8c62	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\38aa9e1f3fe71932fade96e143fefd7a.xzzx	81.89 KB (83855 bytes)	MD5: 1c704ab468506ad7d1c352cc2e0070e4 SHA1: 104bd6b351c337578cd7df1e69f09f1292a9d018 SHA256: 034185248f0990238dc977b26c28de529c2fc3851ed38b00e95044968ffc7bfa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\8441a0b23fa9b9126d832a0d43d69d5a.xzzx	23.36 KB (23919 bytes)	MD5: 0625acb064776d360affe00014a24ee2 SHA1: d8e097877556698786150617a7970b373d6fdc83 SHA256: 2dc96cbdb288cc9cf7917353f57d832bee6f99c1254fc4654e7ffd791e095853	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\240d5dc448cdcc4a47de5ede4ce5b092.xzzx	30.92 KB (31660 bytes)	MD5: 075ee2afdf45b3e2dcb505d5658cb709 SHA1: 6b88b6ad96871cadec6cf38ba09fd68a56b95e20 SHA256: b07dbca680b89db0b02c68f3544dc6ed3443fe20e547ba1ee0e0c44341fd4a71	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\2525214410f7da278be33b7c150fbe6f.xzzx	26.33 KB (26963 bytes)	MD5: 5821ffeafed312a4d7df3d5cdbdb93a7 SHA1: 7c2fd252a5f6ea0e97355259ce1fba1dc8bd5aa6 SHA256: 039db0df68723948a7a5a7448d3ebc6a64c952b71c68a3644dcfa5b17b22e164	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\b4a323b51740b3fd1d50dd1d1b6d9845.xzzx	41.96 KB (42970 bytes)	MD5: e79fbf767d4b3a3c75f729c2e6cbd6aa SHA1: 95f282c60802b04a65dd7013f1de0b1c08bc40f1 SHA256: c213f4a6e8c3529874071c1b810aa500568c0e79f0a88debd7a708cece6fc2d3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\a0dc431228de1e088fd30db72cf60250.xzzx	32.56 KB (33340 bytes)	MD5: e45216fd5eb8cd93ed95052e5b3314fc SHA1: e6d9128d60dd3a97fa512b6027bd287ba37b74cc SHA256: f3c1254bf98f02a7987d79f1301e49adce9ae60d836c00c517ff582745249cc7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\4718805a3b556c301085a1313fc25078.xzzx	27.90 KB (28573 bytes)	MD5: 9f5c4299b1965454907854c71bfe6580 SHA1: a72f5fa9f522773340265caaba96102509339443 SHA256: 403d8f8c46ae37fcb3335bf345f9dc78d3599fffeb011a5952be8db86f27860c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\3d3271b13ffa5012e003eab54427345a.xzzx	9.46 KB (9686 bytes)	MD5: da602b009d8cd890c1e3bdd2b5a5efb8 SHA1: 4572b728efb3bc3ceaa60cf9571703650c204934 SHA256: 1f91004a3d4904175142f00d64a898d9a2fc2aeafab0b937eb255a9efe93261d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\1b49d0d52a00521de10dafa32e183665.xzzx	99.69 KB (102084 bytes)	MD5: cf18e086da2ac760667bc193720d99fa SHA1: 3a987526ed956ad2b3937b129bd57321e0ecc1d6 SHA256: 198f4484c92081b5ee0a306ef59b169e302f9c4c8ffe7222df837684020e564b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\069c108614226dda8ed0a1a1188f5222.xzzx	58.53 KB (59936 bytes)	MD5: cdf1740a130dcd83a703f15b3898d755 SHA1: 1f823e96d319a9f20135f34c5b239346ee648b34 SHA256: 20067c71c52c4c569cd39b5a475329ac95a3527b8a7978aa722d50634e5e06b7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\e47d77fb28ad6f18ceb95d752cda5360.xzzx	90.48 KB (92647 bytes)	MD5: b4dbac01935a41cbaa158f50e4032daf SHA1: ee9a2a54c8b786b95acc0be32418549461710cba SHA256: 816c11bafb15e7b8c30c61bbb0efee27793371f138d8e4ac5c05de925eef4a23	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\3d2178a332ed6f4701e92e353705538f.xzzx	96.27 KB (98580 bytes)	MD5: f480b9ebc1a6e813b9bc2ecb624df014 SHA1: 7f493207f514d1ef92bea3f437147beff4570289 SHA256: 4aed55a0a8320460e6a3289e96f837cec7cd79c0da84efbd9276cfff5f977611	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\9345d86a0f87da84ada8003e13b4becc.xzzx	86.81 KB (88895 bytes)	MD5: 05e9a38bd2a8eb58b385fcc203ea4282 SHA1: b7ac79f626ef4d1e5934ed7b133f84e1f141ee14 SHA256: 16a333cf8c552f487b54463e5e50abee2f51cd79d34ede62eb3e29468239defa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\a216bea01542c25c94fd01f0195aa6a4.xzzx	4.43 KB (4540 bytes)	MD5: 630a139a9e73ccd9ac24b4447ab900ff SHA1: da94f9b274ac0cf7af86251e759ad9e16d6a5f99 SHA256: baaca3f4434f4e8f0aaeab6ad4712a1e53d12b39d9de754c13cb5eb62817c36a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\e85c7261086e23dedfc379d70c9b0826.xzzx	59.96 KB (61402 bytes)	MD5: ff5926fd6c79d1ca4bdb2c1646ce451e SHA1: 94eb338b2f2316bbed6e44ff4008098c1c9c2c63 SHA256: 390123269a79675bd22fa2f1096de4c5b6a5cd60a85b80326e7fce0603e3260d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\ikpxup8ushighl1\33820cbd02f4b0d349b807ff070c951b.xzzx	68.06 KB (69691 bytes)	MD5: 172705fe35eab7f0a943c14fd12c13cd SHA1: 8c23e02ba967118a24e90635f98ae40162fdcdc2 SHA256: 5d95e36c4e05dae3890220d86fa52e6f8bb64c24f7c5adceb9cc10f947104364	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\632a4073379a2fdc09389deb3bc71424.xzzx	33.63 KB (34433 bytes)	MD5: cd4f89617d0a4d0cc2180c36f5b9c9b2 SHA1: eaf0540c1a148a648724908ceb4f129d13c5ccb0 SHA256: caccdf7bbf5c32b3088ed685e6e354cc3e31f280f331802d25659b4d666c6714	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\6b01ea683dc5f7920a3c155c41dddbda.xzzx	90.64 KB (92813 bytes)	MD5: d0cfe4acca118972fb75384684f8f364 SHA1: 59d49c41072e578802b95056a186338ed46332da SHA256: 16416e08daa079d2db90a9465fab59399f3e122775c84b400d99cff4f343b812	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\5154be9c1011afd27b96a6c6143e941a.xzzx	4.35 KB (4454 bytes)	MD5: b1c3432d2f07aa1891eeda4ed9c0f8f4 SHA1: 287450b04ea91a1c35ea39a9c93abb3507331656 SHA256: 8cf2b9dba45a5c49b414aabdea6e2e3f4ba3721d3eb5a16ff682053ab737ade4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\f8f047460eb3954ecccbc0d612cb7996.xzzx	84.21 KB (86236 bytes)	MD5: 1ced70356d384fbe0887df89f72ed012 SHA1: ee9eff3bd7d6ee254715736b44258f5a0a776ad4 SHA256: 671427d0ef4d90ef2ec86049d767aafcdbd5d1af83bdf0dbd9ed6e2229dde220	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\e3e55c1830b142fc6c2b225e34de2744.xzzx	40.84 KB (41821 bytes)	MD5: 66d1b0c8809a3e340a06443cffe1f852 SHA1: e99da89cf13cc863694e1be22acb212250fd3dd3 SHA256: 5709e9813696c9d853b00a1adf14f5a1b8d9354cf278201fad891edc4c1ee1f2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\73c0d9902a7964c0808d031b2e914908.xzzx	44.84 KB (45915 bytes)	MD5: f2a52aeb2e175a88aeacd11063e8d9fb SHA1: d0c8780275620821cc79c90a8b682ff3b2367667 SHA256: a8f2542a30e5c2ba92fe555dc27cc04bb55576534aa25f7a1729a4759e87a869	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\0fe24cf432281f2497377d743655036c.xzzx	51.29 KB (52526 bytes)	MD5: aa8f05f29f54f1ded055b59bb41b4e2e SHA1: d082e00a2613cac7d2e9ff4fbe09e87d01bce909 SHA256: d259c116e5af57217c025394521eb030bd54a48042075cb8a8bee830709c3c02	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\7d60b7a8152cecb0b780c8b61944d0f8.xzzx	84.49 KB (86520 bytes)	MD5: 66a036e74ef16981c2c5de0cd95dacd8 SHA1: 321f6f985b84627c6e3823b3c9ce1dde7d2f511d SHA256: d98b48f11989504c182d7ebc89ba5080e35c7934159ad5ebe0b33d549ff45812	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\de6d908a0693b67d2f37324a0aab9ac5.xzzx	51.87 KB (53110 bytes)	MD5: 602bad099f347131c7d0fc42288f7d88 SHA1: fe09e2fe4d1e19443f1edc366e9a7b05b76b2028 SHA256: eb612eebd781e26d352df807b376fa664f9d0a924fa740f69e7631f6e435ef09	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\lhhnd9lew5xmlxw00jfa\zw28zqhzfxay2nv\4cde900f0bc30bb32ab81ee70fdaeffb.xzzx	22.72 KB (23268 bytes)	MD5: fa0472ec8ffba2664c7fe54ab03d9a35 SHA1: 5a45953bcbba0e03aa81752ec481cbda743e827e SHA256: cf9d5c8015302523ac1dd101e5fe19350a023a2971361e03c28038bbcaef53de	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\bf7b86490294f06b45ac44d706acd4b3.xzzx	0.37 KB (381 bytes)	MD5: 3cef2ac0d6eb9cbd7fb5525810239b11 SHA1: 112856c2cdba6c0ee0b000c4edd1111888304ba0 SHA256: 15663764387d013c1833ee7d44801236a79922e5743043e7fbfe4adb58b70d73	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\my shapes\_private\7b7ba3c4205941180fe9457124712560.xzzx	29.38 KB (30089 bytes)	MD5: 84d2cc2a52da42f308082110d804e971 SHA1: c55a945c726e0d54f338fa1b2ea5998dd831ca49 SHA256: fe626bed5e421e266b5b5def2ee3de64434004a93769c8a5c79e4aecd162caad	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\documents\outlook files\7ba753503e40d4c00f297b124258b908.xzzx	265.18 KB (271547 bytes)	MD5: cf5d5391f97c7bb8a30d0b46566a1ce6 SHA1: be3a212ab2b9f7d28d705ef4d70658ab14844c7e SHA256: 114b557c1f4d8f2826300e8b2c011b49d7ccc9a0bd9b4bf6ce1f75e037e96594	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\downloads\4645e01c4f3ccec4ea018e655354b30c.xzzx	0.44 KB (447 bytes)	MD5: 760acaac8a4822c7708300c7b7412b40 SHA1: a74a21cfe42872d6debb2f0590257467f6cefeb6 SHA256: c8bf3bbcb47c1d2e675716e436eb2a8e3ef7f884f4c43358555a7ad9b434d181	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\72a6c9432269cce1a510518b2681b129.xzzx	0.55 KB (567 bytes)	MD5: f416139ee234a074a84840a79d5e4492 SHA1: f460a746dcc8ce5ce54bb57a9fd7c0ef1a8a3f60 SHA256: 403ff5c14278cf92f5b57faa89ee5bd1213cf65f72c9c57d69917124a83e196f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\links\8e5ece9444dbaf1a59bc413e48f39362.xzzx	0.24 KB (245 bytes)	MD5: 55bfb842ce6739aa416236f6579d0b37 SHA1: b7b40b2365139cf8355cdc3cd176105ca78d507f SHA256: 8d70759716c129c0b812279dae24c4747816b35e8c06cab0f41761fcefcc347b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\links\b8440918056e9f026ea48c8c0986834a.xzzx	0.41 KB (417 bytes)	MD5: 731f9dfe1d316d6b0fcb427621a5cbed SHA1: cd95f93ad65b8893e58bc74bc17e4363f21e0b4c SHA256: 51364ec4cde902259292f3732ec387e8169d965fed6d472be2e56aa53052b578	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\links\15dc3754190a8ea84ed7a99b1d2272f0.xzzx	0.40 KB (411 bytes)	MD5: 2718bbf5f733c4313b2030de72a5f064 SHA1: 2e3d7e85acae7c40273a65316ab5fa7fd2f458c5 SHA256: 8d832c6a9193c46a924a3a25f9b6fc4b557f4efa3a72579291806709e86c6d3c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\1b49b9e018f35807975dc8201d0b3c4f.xzzx	0.30 KB (312 bytes)	MD5: d90ed03b0659f370f185a930ffd12c01 SHA1: b155e0fea261b0509ba54a744fe90ac9464c5502 SHA256: ac1ee59f00279cec0f8555b1122a071d13429101df144dc54085bba18be5722c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\fd9030e848c62d90344a51e94cde11d8.xzzx	0.32 KB (332 bytes)	MD5: b62a4313f4a8109e488acbb907d7a948 SHA1: 06ab81ed90ecada598fe0381f3bd54d2138be405 SHA256: 7836e3508d1804f4e1707cea6d58f254b73bd941f0b915ad2a24a9ccb6ef7116	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\30fef3b4011abe0e503ed66c0532a256.xzzx	0.31 KB (318 bytes)	MD5: 7b6ba656037cdc448f6ed1f41a1300c5 SHA1: 916b741f616d9fba93ffe6088ff8c4b2bbb57196 SHA256: 5a0229d14f2b37da6afbd19825edb1a8aa30a539309efb5be4987903a0da5eb2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\b2a8c78f28f146042377d2fd2d1e2a4c.xzzx	0.31 KB (318 bytes)	MD5: 0d379c94c9634504f0392b6ae9b3ccf4 SHA1: 1c343789a8fb47bfc4161662cb41d49788898dc1 SHA256: 5c4b32cf30da1bc7b1cbb434c9236c71c0a0cc5a4ae4440ea35454f19249d5f3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\microsoft websites\1844fe2a092a01627c9eb5e50d41e5aa.xzzx	0.31 KB (315 bytes)	MD5: 25f0799c63bd239b7af324814d33d6a7 SHA1: 32f7654ae81ad249a7e119fbaa8afc5515128646 SHA256: 2ffb53b4fb4aac427fa007a8568f267cc5e1f2b5c90432171aeffd15525dd2b2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\833df956476c97eaeaf8ad0b4b847c32.xzzx	0.29 KB (302 bytes)	MD5: c5a7b6f40f786b4f38dab85eb63ff458 SHA1: cdcdde2bf8309b8219efcf9ebba08db1899eff9b SHA256: 1f6d95700d944989057bcd1fadaab71fca3c1e244a3e6ad5b74550da07fbffeb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\13771db6235c0add78bd03922773ef25.xzzx	0.31 KB (318 bytes)	MD5: d8c8e49869b0894ce1c39de2e0596262 SHA1: f02be445418ff5faa34a6aa8aa02f817d8b94fde SHA256: 50433ca1689fe9fb678311ca369226bfb8ee955d705834f74f006651e2375cbb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\8f3b67d5108cb69fdd5c15d914b99ae7.xzzx	0.29 KB (302 bytes)	MD5: 9e37796c60680bba180b4bda51c6c848 SHA1: f544655115941f161ec46a3c91a0a86f55783cc8 SHA256: 76b2334c79f6cdf7d6fe27edaf0d335a548d069dc3e347fe5125d4262a0cf2e3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\94764f5b3c2dc73eaed48d494045ab86.xzzx	0.30 KB (304 bytes)	MD5: 6f7e39e7975d0e66dd208f8a141fdf90 SHA1: 3d853e036d8c934467626a19c14c9b5c9e365495 SHA256: a3b721c0ae2df20467a22647c4722abbb62b06f06c770e7022b1b175d4313aa0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\583ca788134302604af8fa2e175ae6a8.xzzx	0.28 KB (290 bytes)	MD5: 9217170c0c1dac3e954e43177162d0b6 SHA1: 2a35c29640b3e7e02004d36e358ed19cae619efb SHA256: d41a5ca2893360731a2ae6bbfb955e60bdd221c35f7bb479ea6ea3e94c360a0c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\msn websites\880f5e93248ac126c0e08bb728b7a56e.xzzx	0.30 KB (304 bytes)	MD5: 5235f32bacf62ce875c416b6a0e119b1 SHA1: 54f160ca84c0fe0a674a13ca5217d6dea31299a1 SHA256: a421ada38182be3b492ea9bfded026b859abaaaca9643ee5b1c2af5d5d443bb3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\9aa1db0a3e2db1949e51c4ae424595dc.xzzx	0.31 KB (316 bytes)	MD5: 4c75edd47dcd6a49d4fd5e7127e5729a SHA1: 132e069269ed2fc6ce8a7e0559affb118bf810dc SHA256: f1b9def9278c0bce1e8353460f21a3029b7e3510cf998c7233ce80644b83a712	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\d9b986602fbc15fec37446303428fa46.xzzx	0.32 KB (324 bytes)	MD5: ead1d310ed213a5e11b13fa2b7bdf3f4 SHA1: 7dfbffc8e708803445fe3fcea81abca9f93a7432 SHA256: 14a44c681f34a848cfa8539761f2852a2378efed24e1f51cfe6ba7026be76216	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\fd9d491315d8c1eee26af31719f0a636.xzzx	0.31 KB (318 bytes)	MD5: 00bf787a8b621ec6cc8d075a44d3f4f5 SHA1: 1339d921e13d2594ed344e066162b4b55af89e4e SHA256: 6f3d6bee59332e753cea279ade3649ecf38cb5a9aec033ba6568cd593d88f0c2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\favorites\windows live\a58916d017654cd0cf379f2b1b923118.xzzx	0.31 KB (322 bytes)	MD5: 1861d12da7cadebbfadaaf5fcae2fa08 SHA1: 95a58e3c2e4068eb4d965338b78ccc34d64f4a1f SHA256: 367dfc1aab18979d723f555d5b8db12d0db682aaa3cdd54b011fa10353fee3cd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\links\afa4cbc047178b40a7e7aa8d4b2f6f88.xzzx	0.73 KB (745 bytes)	MD5: bbd52b08633142b1a05bf5aabbb1120c SHA1: ac8baf7c3c291a8ad2d7ad6a27beb53903fa5af7 SHA256: 6233fcb1e4e49031ca08b31646268d13a4147d4c5f428313dd8cff656499c805	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\links\02d36bf7229fbf1a2d198367271ca362.xzzx	0.53 KB (538 bytes)	MD5: 8d697c13c4bebeb2470a203db13767d2 SHA1: 2b15ca0c4217de43c53776d39216f9d1972c99fd SHA256: c1fa1ab30f748fdfe2fb5d7999a3ca670fcfe862a20e77183921b26f9bd85fc6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\95567f6e0cf2434a8f3cb62a111f2792.xzzx	9.10 KB (9317 bytes)	MD5: 455acf569a78a766035542b7c025f8ea SHA1: bbbc51e1be2d9b5507be5cb95eb7f57be01b540c SHA256: 011278a45019dc36bb9db7084523d27eb4806439e7748da04211a46a79070380	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\d25ef7c41a27d9e43ebb395a1ebabe2c.xzzx	24.90 KB (25497 bytes)	MD5: 754ad1f657d88ca8c43eed66bdffef39 SHA1: 286db2a3fcc09af1c9b06be39102f4fb3e1d0958 SHA256: 5df4fcfcfa891fd400fccbaac82e8e0ad1359108f67cc8740f07543a04aaf9bd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\links\61c67744188385c0eada50e91cf06a08.xzzx	1.07 KB (1098 bytes)	MD5: 6621b1997d6cbd1c889ebc297ea56373 SHA1: 1ff0ae557c64e1b4a34f92e9547629e64ee8aed7 SHA256: 5133e1ef36c9fcb9ad0188a365d22faf63637ac6c86f1c60d5983444b9f6d14e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\fcd862501902e584e01cefe81dabc9cc.xzzx	4.53 KB (4636 bytes)	MD5: e7d862e612fe891e31344f78acdb3436 SHA1: 1ca0de52571149182c8f63c4dcc0aeeabb789560 SHA256: c22bd8fb406827096820d418b530a5ee87bc1870e2d8d4a69a15837057bb17fa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\5ef7279e2ed18e2582c79cc632e9726d.xzzx	0.65 KB (669 bytes)	MD5: 726705e4c5f5e6ba5939d025fd87e895 SHA1: 9affa9196730805eb431774664eda2f47f2e6b29 SHA256: 8dad840babee49b711c27e83ea5a5094fc12e9fa099be8dbba9b2a715d2ba193	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\129dfdc608a49a7cbff35cf70d217ec4.xzzx	74.97 KB (76770 bytes)	MD5: d54c435d95e9b30b15afd93207f46f79 SHA1: b26921b8ca1aa96ca1d31b67b3cfc78177055c70 SHA256: 9156bab19d37f1fc49fbca9a5b4e16637c59c9f96b315e4d2e0632d2850d8bdf	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\35a8a5603be70712a81d33d040a3eb5a.xzzx	64.36 KB (65906 bytes)	MD5: 803ffe4870325b3051b7f545419ff130 SHA1: 55ae39d4862be22a09bb45c8d8439670bed66501 SHA256: 37eaa139ed744f5dff67cf1dc8df9d2a510f25a4c073a5c7fdfae6ba69c9dcba	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\b169cad546c877a0159fdf7f4b675be8.xzzx	93.67 KB (95914 bytes)	MD5: ea34f06f4df7b220e1c54236d20cb25b SHA1: f06919af9f35d49ddcfec8fcaa9ddf7f70c8be8f SHA256: 96f59caaf8bdce2e5bab2138bc46c437e7b11f18bd8d72a9c5ffb1b01155a364	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\3dab40862fbd462437e5810b348a2a6c.xzzx	15.89 KB (16272 bytes)	MD5: 0f6cf9a5de83764a04e784a50cb94049 SHA1: 3e25e007630c221b670b542f29b9260729883520 SHA256: 8d4aac20fc3e7cfe7ba8d8e0de6c599b0303bd947e5a8dc464e8dc2f5d6298b8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\70cb960a1797b0a14eb31b321c2694e9.xzzx	93.67 KB (95914 bytes)	MD5: f2d8bbf24987f9ddf50724a32bcce8dc SHA1: c28e2e082d5df0447038c7bc78d1f2a5200d155e SHA256: 1d3a92482f84b28eeb7101420aafc00b1b2b9d0d34dd43dea9274e2fdc43a535	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\51a5a3c031894064fcb3ced0366624ac.xzzx	81.50 KB (83461 bytes)	MD5: f3deb548130f7e011f7e14d22a6a33b1 SHA1: dba44308f33c87cfaf2a298aef9f2f9cd89e1a04 SHA256: 35c49df5839e24e53bddab5141f7f42ca9a02f405ce2f22542a9a67290faa6cc	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\fad3bb6308c4fc66694f337d0d31e0ae.xzzx	93.67 KB (95914 bytes)	MD5: 854596fd469ad894a3579955c4871711 SHA1: 3d76d7035aa2cef358b260d898c98b7edfcedada SHA256: b901fa970a0d8e0a69382aa8e0fea84503a8b893488d5bde9b819b6bafac418a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\c8e8bddc263509ecaca7c0d62a50ee34.xzzx	81.50 KB (83461 bytes)	MD5: 67840eada81e1a87a8cbc6553d4b268c SHA1: de9bdeee50966200847186c73d2016a0590b075d SHA256: cd0750b9a1d243470427e9ff106284b41ba15fc95b2bdfb0ced0b02d07f61c80	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\eed603f80d860cc870d6498a119df110.xzzx	89.25 KB (91389 bytes)	MD5: 29ac431be819c3c08d164e8b45b87b96 SHA1: 84665235ede98bb2c4a8028457f15ca7a7df78bd SHA256: f0b0e27fb2df28ccf175ed5e290904ef6452459c38f6112eee94c653aa29c39b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\1037641408f8f044b7533aa10d10d48c.xzzx	15.60 KB (15973 bytes)	MD5: 518f55a70ccc91278fbfcd6b82d39475 SHA1: 8ac8072872947ae19882007f93f39136d2de6783 SHA256: d679309f5d54526e3f52daff0d9b57e3e05dacd81c322002a148ccd16fac1853	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\b5a4f8d81d2bc280a6fb77022143a6c8.xzzx	51.50 KB (52733 bytes)	MD5: 4e87399c40fbfda8101d6aad53516284 SHA1: dc45c3afabd3181402af348a5117d5ad19007b23 SHA256: 0907d363360d3006b669cd1381e43df64ea5cbe9b0885fc06aa62aa126745c52	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\a191878831212978b3b60ce1354e0dc0.xzzx	80.57 KB (82499 bytes)	MD5: 8dd9d1b39acad994134ba22fd083d063 SHA1: 9bed907ef3aec0312e411c74e4b8601cc80fc00f SHA256: b363630acd603d3ece19b269f42df9c629e86c6158c28b0d35c4e0c6b84c26dd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\6d35692c49d86b1ade80fada4df04f62.xzzx	54.11 KB (55413 bytes)	MD5: ab3e7f2a0e819e9b302d9d8aa1546364 SHA1: 5347c2473d17fa039bff1d5f7e0568d5df042ffd SHA256: da4d2b66f8a08969f6d0a9d0ff24fbfd6aaf586ddc98f3ec1649378680d89600	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\e003588e3da0b59dc1493ec641b899e5.xzzx	1.33 KB (1365 bytes)	MD5: dacbac43435b740f3687e55dbe3a50d5 SHA1: 5f1758c04b8145e8b2c44189ead9cea88f2cc6de SHA256: 0d113ad6c16f02590835e924dacdccddfb5a9fb0eaa16719c2af21afce3d5cd8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\54e892fc383d1fa0ee2d03953c6a03e8.xzzx	82.30 KB (84280 bytes)	MD5: 6090b1a158fb63a3abc0df52f99f0ce2 SHA1: 454a9b49ff7875a3e75ccee586c95e0e52b79b8d SHA256: 7b52d0a7bf88d9e960ce48fa8bb318895d089d49a16c338c6355b5191a6dd9b6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\23947e243409dc7caf2c62063821c0c4.xzzx	37.22 KB (38117 bytes)	MD5: e5b58e6bae92e1066b3798d97eaf33b3 SHA1: c46ae251d9196e6dfdeaa9655c4345aadd8c4ad4 SHA256: 4a4998a7614f46d66106c1d5ea6911de4260172e27a340120e7e6f9db191c33d	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e19f6a2e69e48e7d3720742c99392583 SHA1: fe2c459a5b0893bf649493cf3dabefc1d8465a04 SHA256: a2e604e0daeabffe3f4ec44de6ad8e026cc5ed2487491470c696e546066356e8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 814f1b08ae92bd5d4d25d4e42ab28f2b SHA1: 40d5718a729c455ce1201b6330007d01c1dbea4d SHA256: 061e44965d029cb150381860cba131d230ed49a817f89128f0f885a5cf295e7c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4e95e0cf613c8e5b346f18b1da242624 SHA1: def3e37c0ee3e1c48b20e315345ea79403966398 SHA256: 3ff33cda6bf81cd651c0848ead9c85268f483cab41a65e2d22730e8ec442ccf0	File Actions Show Properties Download
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi	3.02 MB (3170463 bytes)	MD5: 149039c782d26be150787a53c60b0fb8 SHA1: 5bad17c6f209bdebb28e1606fa9f14ece3dffeb3 SHA256: dfb87c3b75ba2525237c00a764bff401e5e8b03ff4ef2c6fcfa72626fbcc7515	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4cee43f4c870b967aa8491d3cb0abb17 SHA1: 2f90d80e055549767a26b23ca20966e72ab5f1e8 SHA256: f8a09519205e9131a83026547b9a53d6f03d413c1215fb638c75ac135fb6f8d0	File Actions Show Properties Download
c:\recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\winre.wim	10.00 MB (10485760 bytes)	MD5: 7af68820a4f620b83c4406bd45612a54 SHA1: 39216ecbbd1a8402bbf9c24ab0933a15c80d0d18 SHA256: 2be045ba74174227aea2172dc348655bd52185d0f3587708df15a3362272e895	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f7e9f993db856ce27a1001de530fac37 SHA1: 19c00557f4e8604aa7ab6364df4472133c2dab65 SHA256: 141c64e29296dd473d8bc09d5913f92bb48b5eef3cc28141bf2b1437796533ba	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 13f9c6326eacfffbd799d5bfa822e37f SHA1: 6d6506098ffdc2a8410c7194c95ea3e99f0abbbb SHA256: f02c59939ff03d407ba4cb24f9c3d9022a8c96708c5001e2e862e5b4ac7c6aa8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5e4618d7238ce7c835c48f52b3745179 SHA1: 579bee8d32d1493698419c2db57f3ce210972e28 SHA256: 1b5b1a577db475c1468fc45309933e50a5c56248e9aa93cdbf0cffb1ec97847a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a59e64a9ee39336312f7d611b15a8aa6 SHA1: 3935947456850c06664902309d8fd42cf466fd77 SHA256: f94bcf4086220cd1cd08aa968bd72350d2a606fc736610cf1ad2221bee9fce07	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a8a86b009e428fb06407c9af0876d3a7 SHA1: 2b0e0b58962ae724048f0213fe37db29cae49b27 SHA256: 2ace2b74273eddd32d0f02e3a2b3f182bcf2e844ebf09359af2dee67f6257b7f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0f92a1788ac3fea4f1cde6e4b3265ea8 SHA1: 4c15db48ca94b7da81dedc2df7020aa0d5c4221d SHA256: 46dd7740d8c369e4d4c209f04c0fce8eb2aecb2c56dd93587de385d6eadd4623	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8f6e63f0d53ee35d5492e53d9ad33263 SHA1: 396ac06a71fd5b6bbcccf6b11e39eccf1c6e30a2 SHA256: 1ae5c7aa3c29d0ebd5b339c7e2da91fc5486e662d77e9411f3a0dbea7b1ac665	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8b93b3602a27797ca735b7ffb26332e2 SHA1: ccb374c385c7eb66ccd236f06f2699cf960b48cf SHA256: cd2ba8aaec06a3d1764ab616c7bea3a1385a958b47b214889835e23a97beb163	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0ea871643e1efd851bdf75d349a3dd46 SHA1: a6f0e00253726d198bf3dcead22d1df34337f2d8 SHA256: 458121e877e8ab037585192ad929a82e4e352662b46750a84f8fd5e7c224ec5e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4d360bb043a3428b923706eaea9c1de6 SHA1: 2573b856c7eb6dc9faa3221a0d39107864f61f8d SHA256: 7f55c9b1cf55225f33224ee5c3173edb43a6451dee4181fbabf379dfdb8258f6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 7b95cd6c0b1a8735ff0b3b628a56aec5 SHA1: 7d4ea73d6b7a7bb59c91b30b2bad4eebdb281ab9 SHA256: 0320cd126bdbcc6b3c47876eecb7b09891bf290acf739d432523049c27d92ae6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8c9827beada5e0066b5f5f962afe8d1b SHA1: acc7dd2fbb624839bb52061301aa980db6e26d10 SHA256: a9318420cae0d9b3bae15ab505e36d538b757a06d210acbf743b565c1dee807b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 551b58e8cdb91d3ce675b6caf3ccc5f6 SHA1: 1488531700e2692e1c9858d6f2c82ee033ef8e13 SHA256: 6148f6799b15857a4ceb68ce889418b7ce28b48931cff98618ba19b7260a861c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 45e5bd6ed45ce5089ac829e2c7daaed5 SHA1: d58f888c1a1ea6ce871ccb35ca181632e16e2f01 SHA256: 2ca32dc03b110b1d3cbfbfc840e0c25a3ad27405def585785e50c75857b239a9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: dbdc08589776cb606424d1a7271fa4b2 SHA1: b8dd24b7af0142059d10d03828e67c6249dd62f2 SHA256: c2c9e90b31d29a54fdde837126a74a09a5ded87662ab1ad0d923b4ea3e47e862	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 66d1734e2a678e1ee5a57e4dd52de11a SHA1: b77f7edbc9d18b9e2bad433c3c6b036466fd00cd SHA256: 4331ffd80feab4efe02313932587b1bb5e8d3056fd3a9d3fdd88b4e5d07f68c3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c2b4d63f0d3d148b592eaa3c7fdce1d8 SHA1: 2bbb8bb45a20fe49b9df890085ebfc887bf0ae7f SHA256: ae7f3e20e8b1e3beebaed7400f11fe5dd648acf2c75fdde06737f5fceecda4d0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6b48287462a22f07b63924dc4c1079cf SHA1: a257c3330d908b6d50da079cc91ea4ecf99b99df SHA256: cd07522a7e5d25b1461e82e0e6680edf744a2d78200df517c94a4eb493a501b3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a0c4f6838ecd427c072ba3a6d8f467e9 SHA1: 937d82f19b71b97529a7424f8a724ccfea4cb453 SHA256: 30b2c1642e1b0d99ca7ee5fc769c205303571c54fa1ed3fcc60f9f3aece459d8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: db365aaa178f4cec323568d0a2d92459 SHA1: 58adfc371a5d5c29e6a65dcdb9692d7addd5b8a8 SHA256: 81bf4ae209f9f4e703d136cbde9ec6eaad18cf68190d0b89bf6e6329adf13b15	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 2e48c94dfa710b445956e81d14902aa5 SHA1: 516689dee57e7a087e053a3f402cb816823b38d4 SHA256: b5c7fb38a69f387122451f9ccd7ebe0249cb569cb432f6956317fb44e62529a1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0e79b690ba279131fff542c4801351fc SHA1: 4d7684cd527b9c00a992d6edaa89e353d12076bc SHA256: 517a60ed330120a013dd402887c436fc85ba0d32873d3b30dea48ee0c8cf73e9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 470432b0d9ac88813cb2f444da58cb24 SHA1: e6501b794158985f690a478c49f96414901b7c16 SHA256: 77314f36add45bba5580811496a7e9a095a1021bbdc3c91819c9a8f17bcc3ed6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: bb61023e4fb73929049e1a8f67b1961a SHA1: a8d454bdcfc462272dbe58f17f0f11eb0e5c6bf9 SHA256: 9861bf78b729b2f7f572bad333d68013013bc254de0d5d945024036281e77314	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 31a2f135681199bb1f1d33a8e567e071 SHA1: 3661bc7bc7aef1b340574d767de1c26d055798b7 SHA256: 40f64331918c493bacbe1fdf00ab63f516a9e9091ff43ff0b5c901311e1a158b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 036177d0287e398e2a461109a9c03b17 SHA1: b5ccbf19b26b184acb314b439c708f063030ba65 SHA256: 27a111af8c58ff71b72e16f858cf9d0592cf3585ac02f38e70a540fd101bf85e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3aeb6d30aceeb81e1c93cfe420dda735 SHA1: 1d33bfe2426416e14c40b080aca5f226dc26e121 SHA256: 3c126d7de1bde6ae1064f3cc7ec070b25c27afd606930125282fadb99adb0c6b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b052818d5dad028f345fc59ad440284b SHA1: c1445a4fa3ab71be001f5a477c16b7ddbb1185b8 SHA256: b19d73b07f8e199dd4175ea802f0f6bc04807aa2fe2c5757fa6ac5584948e805	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5a83fa0ee650ead8b8c97b3b48cac33c SHA1: 5441b1df0f954352cbf82fa51a6314c3e7f38e05 SHA256: 66ab80f0337f9fbd731021d3d995b8c647e7a30bbbc3acf42b26ea9e6b1841af	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 192e38f6712b4bfe6b6940b67e542e13 SHA1: c121a6da9c2df661db8ad6bbfe9258f3b2175f3f SHA256: b5c9bd35825fd81a83f3e35f0ceaaafde7cacb249a7d88de7ef025d51156f55a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ea87a51c5b7d175b519c0410c73dc68b SHA1: e89685354569382d2353422692583228b761268e SHA256: 89ba1e6d538a1beea3ec56280f78d38f9c8f11fb9ff67d919965b622653aeae4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 16fd7d224cb9bd2d0e0635f0d657e7e7 SHA1: d4a1c8bb5fc3e8a97f45e9f7bd3622bcbcd49c2c SHA256: 350ca8506e976e56b35a33adac75f67eae9d880708c75a624de5e993285d86d7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ef19f5fb3de11aeb1a94727dd89c885e SHA1: 7bf0d3aa4ce8fc1180129efdfb3ef4c22c820eef SHA256: cf04c3cb9f95e60367aa2761cd37c81bb24e5f89278f328fe716a3dd65fff403	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 933865606c3a1e039ea8814280a61496 SHA1: 24f927af56a53e2fce91112af40690ac683948f4 SHA256: 11159a7dfd9e7445afbf85076324a275fc1b54201c7555fa503148197a4c4e01	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 7ac692bc78a7e2585c34b88b865b07dd SHA1: 3f22a3d0e49c65679247ce3f37064280c2113a90 SHA256: 7fa8f262d609f2aa2e937759d94ee4a6b9e74bf472e26736c1a65a9a6b00f115	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: bdb3b93da1d867f46dc90680801a308e SHA1: d413010296d9619e9d9b8eef5f2db0e6211ad46f SHA256: 43ddf773620137d261254cba0c5692f6df53415900cdf92d1f149bb8fc520877	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 111ce9ccdb1b2f74959823f16ff312a2 SHA1: eb2baf5256eaa5305d41a76f1bb1c31f4480019b SHA256: aacaa02d4786d917437ceeb041eac71d2714223e506fbd834127e0622eba19ab	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8e0e161294d7f2bf6e2ac3155e07e5a8 SHA1: 518807cdf1c6dc5aa458f33b3c91b798620b5f45 SHA256: f4e1e97f06ee45352968923bf4c7a7ce1db9248c8ae4cea482e3c5628d0ee854	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c790532da14e90812fa485cbad151729 SHA1: 7edd228ebcfb10eafca39707d00d5f09417b4f1c SHA256: 35e290b70c010d989fb6cc000af700a6d754fa9fbd081c686009e78cbf89f754	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8d7cdcb73d636921b1bd56d197d64ae7 SHA1: de00149051ca4cad95569e383718ab56562705ed SHA256: 68de719a2a0087b5a3c7338a7d7f081147798d49422272b0ac000e9c8ef764b0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5ee3bdfc2e4ad6e1663da842fcd92b25 SHA1: ae1dd9da48d96f2012887fe24b707cb7e1e9d850 SHA256: 90024e4d93e8c84870fa78c57d4e6b12d4a2b634ca84a2d2f2b0ab734f533770	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f5a35f0d8c9258d21bb879c879ae52a2 SHA1: 9c0b5078d298fe333f7ce7f78470268010d2b557 SHA256: a7f6bf7e3cc4736d13a5187a665d39e981292c0e7d866f0d16d5cf44a8af06fa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 415df0e14cc75b273797766d5d5dbd92 SHA1: bd17df7ed6ed6b24c8910f31c8c01f1f747a2593 SHA256: 66272164f4ac974910a84b77c2ee776bcb2f820bd03fa20351910176280af8db	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 03c4c2cbb7b71b62ad4f2fa06dbaa500 SHA1: e613f37ce004d59bd4ce6f872f941cb9e02b72c0 SHA256: 3905fd39cd97889b1b2bae7207efed14812670307c0f9c0e318bb3564a35640f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d0c9664b82b132a1d5e55c7641bcaa32 SHA1: ee0f11ad7b58fe9f5f702e517b89261189ab117e SHA256: 37c0a3ae1d80a2147c59b1c10a302d3b1ebf0ab1446b3defaaed6c3ace077722	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 60221806b1eaa971f0805f198a52bc53 SHA1: a90e74b74436dc0b72e9abc19fe04994399425b0 SHA256: 50f2579c60287ee07ffea0c18e15b37c317e7ffcd94a8ea075786ad848f8ad22	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1545eb055019f44d7bbafcce4a2cde44 SHA1: 9f93cf8a01f1d99e4862df6fa92e0c9944107809 SHA256: ccc2cc793c89ebfec6068f9d72d591cc22aa557eb73c9e6dcade90dd10aacf57	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d50cb474d15009cc1509b9c7a8e6de18 SHA1: e06a99bba6e83ff5776c7c45bfa60da7f2ee1e49 SHA256: 4b39743cebc5fa913adbe0239a7be1dffe73cc2100fe72a4c0384f6f852da525	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 76199b79207313ef73e58c91f894090b SHA1: 1d7ff3f462f66840e68e010723586967e47858ee SHA256: 991c1f594a24a0e24c333bf9de9854e7f5a96fc2a1c54d15ea3e4e224ec19b57	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a90e656f2ec243ac278a7150f144826e SHA1: 5c1de5526e61897a5fa45fcd20599d14f935a36b SHA256: 9abf69230425feb25f8108958cb0f1bdb1f788e64c5efd299ec6161648693d56	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1c2c2b82a51b6ef553f80c73abeed2cb SHA1: 3f970d9f20d9aea90b7583713feb8cf1ea387888 SHA256: 5fcaa9ff44861807206b5cbd9456ce0606c002389aee7d7e8b50fbd8d5e49a07	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8b3fcd1aa2f67b805cd72d9872e43331 SHA1: fe0db975d455f0731152e3e60d314abf08596253 SHA256: 7500cf228ceb07da0bd655178a3c486d1f9d8a971982ca1112e44313c56c21bf	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ac68798e09ca338893adc19ce95c834c SHA1: f9ac2630266c3e1221ac41505950e6c7c618cd93 SHA256: 07abac86557b1ce80920c850ce28501e495f6cd99852843fd1df1206d433613c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ba78ceb68b3246ff67e0e430963c657c SHA1: 590fe102377c38ea3b72893c9c0f72a5194a8395 SHA256: 8ddb712d9465216f3daf2f12a1dce5b0a8b72237ce63c37312a4c0ed955b9137	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 74028e74ebe873be07b955651a6aa13a SHA1: 1dedee862e459a632dfed9cfbe58e972281172f8 SHA256: 7cf49a79ed677cc1d2fbba89ca1ab5aae02322263c829f2e09143cbab1c4a9b8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f4fcceec6b9b572b3b94b27716363b72 SHA1: f242231b5c84871a6c09a2e09bf1b16426842b07 SHA256: 61b4751d1e9f2b77ea1f7ab71090ef5c4437531a3da38fe94db6b210d1f067d9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5ad052dba685485c7911287e9a6b8b62 SHA1: 13161e758d6999f04c9fb2e09c5aba9a6433ca41 SHA256: 48aa50b67a1db1bf079cd57c963624623aeebcd4c28ed665288714a21985ee23	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 74599cbe33b049f550921c7d20bdba0b SHA1: 04ff02f4d30c0a2394504c070be5651d3a3bee68 SHA256: a3c9943edc224207a9d0eab310bd7dfba0e4aa7cdd751de0d8a36620b17b8116	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6488c62e37499b1d58fd634432e69b83 SHA1: 97302c23f0f601fb3f1e89cb4a81300bf20e9e4b SHA256: 784c14470886b97e160cd326d70eac01c9b5f32f30100cf4ff4dd965fd1b2675	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ff10d6669524223808a0a12e5e418e60 SHA1: 6447e6d431fe201ac0245b8ffbe9fc0ebeb705ff SHA256: 34344b59f0273d17f0a95b4ba618cd39864f8edbcc267bb81760a9a7729118f0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: abbbc719b95e9c9426ff3590fa62190d SHA1: 998ffebcf24858f5a5ad059e356eadecb11dc1cd SHA256: 814adbcbecbb6f95b52c8652b902f25fb04c5d53891e880767b5d474623c2ac7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0180870b42dcf8ca9e1765fa35ade47c SHA1: e54deb9e27deffe78a2f3b77c5fb6a94fcef1c36 SHA256: 1799b8426f5ff8428d6a3a1988c46deaa0e7e645aa337c867907f21080d87109	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1d68f06a6c6fc73d7f40f5ee174d9c77 SHA1: 69dbabaefc96d168d955c03e6104c78e25dcdd38 SHA256: 010d8370806c0b26e1dbc893db33f2c758f40376f1fb5589b0b471b6eecb5db4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8ef54491807ea0fb81e3c0512536b738 SHA1: e481f1a39d40f34ee4d119cf35116980a0c32142 SHA256: 62d8616bee6dcf16c8e4993b2a52f9b32b99b69c67b1501d0fe893478a5d5b47	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 502a367144ac188f54517e7ba4ba8594 SHA1: 8bdf345f8c4ff48c3e0d164d83fcf35229923a1c SHA256: 6430dda12a5cc0fd1dcb60b683727c77849b8293da1b9ea25ea41950bce4692c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4170d50d3edbee713a753cb7c213a63b SHA1: e8238db794b1603a471d468a7e237f14641186e3 SHA256: 869131efbd21d9db9e9fbd3942dee62711eeccf3ff75d547e78a70d40dcfcdbb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 13750b82fe45fb6ff1bae553cb2d2cf2 SHA1: 03b6584982f4b192a6b2456a2db0da7cc1193a5b SHA256: c91e2c9996671460a054cb2b75d63556ce888ff767abb7474c34aabefac94c34	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 22016b6e8346a5c499c6fff2524a1f72 SHA1: 36a71b190b559f31c512ccba9855f1e42cae9489 SHA256: 2432df3d3bc41cae7f91100cd409c7c1012f9f301114500b67e68abbd9bbf72d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: fd1e5bd3a8ec32f255e008bb6824fea2 SHA1: 1be89702a029e0e3e54aaf5dc9f83487d379c47b SHA256: dca3925a815c7c90f8ecd25dc8d4ae6ba22881cf52ca20a9edc5ef92d9343ca6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: da6156020cdf6e3a40327436c950d6dd SHA1: 9989a3cfb770933f9f75e60f1b3df5eb1bf50486 SHA256: 19d991c420c129af18d9e5083fb27d2d24affdd72c44ef279f4e4ae73854608d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5506b753acd8b8867b7694cecdd25213 SHA1: c0df1504bee2d24254f58a08b27fe7a42e943b35 SHA256: 51a34ba0b6dff1761387f97c9994aa8986d675937be0d1765e38bc751b13d6db	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ab254de9bba2cc31524de16d36e6d31d SHA1: 824cb41693d1e5343eb40b741a2e7098a167cd9c SHA256: 824af92033197ed7950ff6080006c96c36af6a8044a51bf9d8ebf2ea00dda76d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a35b740ce644ea3f912ff3b750d23f58 SHA1: 6f4dce3e5505f42d431fcd85f4bc11c0141fcaf4 SHA256: a8dcbc24f50fc26e9fe385380a3c764b251f5be3560daca44ac7216115708818	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: fbba74be12d24c72d64aded8f19a69bb SHA1: eaf0968afc4c190d13ed940fbc265ac913528bfb SHA256: 3d425503980fd8a825ee8ca0f2d400c7bbfabeafb67e3f3076235cdab86df4a4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ae0898ad377a1cfed5d8dccc89fa6c3e SHA1: 4fedb8875a794f8a51d55f1b9c08cf086003bd32 SHA256: a2d4531fdbc50a3a192d31cf9aab5305cd531d2eb98d7c42aeff311506b0580e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d93155fcb055e78e8ed256307a409e27 SHA1: c675502d98e3bd9e83038ddcff4a14bbb7b12396 SHA256: dc40b87054f35f31723f1a01a56fd9623052e776d6c5b01a503a45e457916873	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e228e3d6f60380bb9725d4cdfcb3019e SHA1: 0ceade1d8a3bf9a3554436c98815eb6fe4349cf0 SHA256: c2abf30e01116e73ed5345bf0a5ccd9a7d3d70547f4097d477b84272c77d92c7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8b40b425a4aa246b0faf03c4dc41865e SHA1: 5cfda9d814f7b1a3fffd56d551ba9b3ebd9ad01a SHA256: d7d5f4665406ba7e230296e899c3bed7259b84ed2683cff961d7785f9bac718d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8802819753960d2c9cc3b1a690a15478 SHA1: 35f2ebf27b0db55af75f3d08f59372a2d95a2dd5 SHA256: f157bff623502eab620c704f895a53d9368b496f4b2cb3a12d3c5691b31e0291	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a8d83dc108c385716b571af0cfd2450b SHA1: e72c06957fe845578e69838794ace5e9468e1e8d SHA256: c3629e4c0df1d1137c47d19d126fe3f333d1ab295b29aac897644a8878e89b20	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f65002e1176f5c6425db6352662618df SHA1: b4244207352905669fc074bdde627b161ada17b4 SHA256: 2f24f7e19e6c472620b70174424bbfa3282469f83cb1742608bf68bd34238255	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8a11a0c50125cc1fb4363d354d3ab452 SHA1: a683ea35b2238c21c8950d7cb2bb8a69937e721e SHA256: f2a825107bea2ec68c1b5526efe3030813053406b6c9a8cd048eb6d9f5f231fa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: acdec48add32d8ff2f89deda598c1102 SHA1: c60cff1019db53e38b3e7203da7b905c1eafc87e SHA256: 9ebf34d9d112d9a9b74003b7dfaa624a0256485b7f7a18bd5004730f48aa4329	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4ba7590cbcc41baa6f202c28dbee804f SHA1: 9a049e8c92d4699dce538a549b58a559c6da7b1f SHA256: 3022ba90e9a41f1da6bfd88421bb82eeafef0e0e7478139e2db04b66b5301cc2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9ec4caf1969ce582c75b9690ef8288a5 SHA1: d18bb72636623cdbda75a7fe19340e1960334d14 SHA256: e5ef6de0838d37fab7d7bb3a3f62c1fe80d45c93efae1ab23de140d84b2cbb73	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 629a94de1eb5eceb0768c6f544287f12 SHA1: 62c7bf4393ce2678d0ed5c5dbd7f5cc7c8646131 SHA256: c687289f1d490fcc4667fccbae122692e3180f1edc44ec2e2caff018b95370af	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 7e15d8188b120c9c86e18744a1bcfdbc SHA1: 9d225cdaa02ec39470e3e6cf642c3831d57b897e SHA256: ae28d89c8a8ac0bb15b9ab4c77eb78fead63288659ff6532255a6e315f9a5868	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 07f427ee10790018a36b1a43eed94a3f SHA1: 819e6885dec172c6656689eef7f825995370fbe7 SHA256: c46a10a59d028345f3250a6420cd8930036efc22548ebd283accde2ab32fae73	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 66228c093f2176dd6d4e8abdbf901280 SHA1: f424df5f8592f918731289ac64fab06591f9835c SHA256: ef6ceaf0147dc2e445a8f8dc4f1c1f64b0b8e3284f78ef79e58a94a8b2848a2c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ecbbf8d71492486ed7a515155c5f07cf SHA1: 854b1261fcc27f8b7a92e6c961743c342dc82230 SHA256: 3dcda8549bc20be73b2272deaf97bd3a29c8a25688dc96ab788fc93dd5d02375	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3da69b963357527619a17540a7cb4bdc SHA1: 9ba5efccd61fcb243aeedcf06c7cc7efafe328b5 SHA256: 971161f2de1ecef8ad0bff3191aecf90c24ce6222b856adbea7eb52a9e390017	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6f62bd211490087c503dfab27d4d0ea0 SHA1: d378c73a63c6eda58ebc534736790ccfe8f34901 SHA256: 61da286f592000a7b3387580dca2a346986428f40e38f54a4f64d4bfc365bbe8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c3746a99d4cfd6541f64d69b4c7af0a9 SHA1: b5bbcc57107d91bae5ee3736975712d919b61118 SHA256: f8fd2b84dc389a149575a9954e7c42d761bde6eada9353d748e09786c1d5f635	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6e73091f2bcbe8ebaa9f123f644e7116 SHA1: b4242e312287c97f8386727422eb1bbcef2719fc SHA256: 702764e47f4b902be80d17465639dadd9897da302f6d40be3e2f03fb10df56a8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e475964cd0b5e79e2060561501e572bf SHA1: 222b291457fd973c8697a66a358301767e181c6e SHA256: f44baeef5c5d348c974afb15bc02f66326a5ab6a50f64bd9ba5fe61c826296d5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 83065d3af1ac7ff34887a69248930c1b SHA1: e16acc3babb39ef63ecc2b6b413c45ba0acebb8b SHA256: 21c4022e528f44439d85bfd654dff0b218650c862a54f979914909900d7c901e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c0140bf3ec17bf0207519fad908563b3 SHA1: f6cb4b65c5e05647aac8e69f4e37098d86ee8c36 SHA256: 0678fa0056c4a4b0561bfa97b3d661ce5736a8f8fb8df22435f2f55410d65bfd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8cd8f5aecb163e34cbb95d4dafc757eb SHA1: 81b49ab9adcc957b01cef92e1a3a820b86619e7a SHA256: 8f037170a2cf5697841fdfce99118a2d1a421b4438a838c92bcc72ecf0450f05	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 76c41a76e7c277c30482d6c68eacaebf SHA1: a332ba2a230537b5f5c923fd91256e67b2fd3cf4 SHA256: 623eed6e31a8726cf27a9e99225d9085add16715ea6d80b2a10248f58db6fe86	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 2befc8fdc1f628ea7d411e2034128843 SHA1: 6d8e2add25b49160ec5d7ca39e8b6098eeaded6b SHA256: 0247fac45afd615d0354ed4fd20580275fbebfe6ee279b7d8338f94089dae324	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 476ed9c62d652fee45bb0a7d370351f9 SHA1: 7a62c57eee8dac7418c0fae1dae1846ea7780b54 SHA256: ad9eb960a19699536d54c945dd3d2cd5fe87dcba7e5940015d2e2b3a28ccad46	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 49372e91edbb7f13a9f4f8b970ba3cbd SHA1: f570934fb650ba3f62403ab750a331396364113f SHA256: 0d194530694210d61871f92847286823c04e027775d7486cd551fe5cd7ef1d94	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 27fcc6c5a519d70b25265605ce65ec67 SHA1: 338c8723bc53c0359eac4818c94746ceef0b0915 SHA256: 16cda29fabefd315df376c5f22b146b02d248eb96f039335802bf0bc2b887c9d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 736d797c53a971f0435ac03bfa8e2e8d SHA1: 5589082fcd0cd0268a133a63961ea3f4bc2f7218 SHA256: 7773bb240abfe69eb96e4a4c42c9b0d59656145c5727856a828589c14803c4a7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ae26c1f39e328a672a3b716e4f2196a7 SHA1: f7ad5365959fcff1f01d3b8e2617ea1c7df4fef2 SHA256: 5a0e4c2ce1f2a5b5db46e2dd6036ad073c6a55165b989ebab9b6e489ca21a26e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 329b8a34ebabaad8a1bf864831194752 SHA1: 4fc1e2eb43022e48079c9b65327a934c4c7ca3a8 SHA256: 1d297337a4b5f7832f2051c785fa2e7d3ba3975ffeb3a736055d0889c7ef87d5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: fbe411b74a0ae779a578da7f172457c8 SHA1: 0a05cea2f609eee104d87d364681c8cf8a0bcad5 SHA256: 28168186a5964a0921d0311a098aa4acce989b8ef197db49884176f7dc0f771e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 318caa82922715054214fcbbcc4119ca SHA1: 073f2754851fc1d4db332c3ead644e704027287c SHA256: 1bd5608778affd0323834ee57d819443a832e0819ad910421ee1df4778895b4e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 093ae23c04cf29bea6698995efd03a52 SHA1: e3d7ace059e42cf6f606ca18f94ff0fc59fa27fd SHA256: d958036f2581b75a5467af2c312b46686eb6412005ac0fb3e150bae3d6a22e31	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8dbf466f718a9cd3f186fa610189b5ef SHA1: 2162e7ec8f1f31ab2e7f44bbcc192c274cdc9cd8 SHA256: 84430c0abf64fd399a1b8670706fbd5addad5b184eaf79a8f62772415ad24019	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 54b801d6b674306d06cede268b328c8e SHA1: c97a7301c2bb7b2007eab0ea843cdaaa231cd77c SHA256: 4408199e1687d98af2c87eef7b9115f9714892bb45bef6d0cbe05c94f5d4816f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 95b154f39ccd405a430bac6d73d48321 SHA1: 8c238ab77017e986943f979b0d7998b7650509dd SHA256: 3035a45765e93f18547773ce8274f3d468d7da63ecb0ada50929a390c90f0361	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6a7b74b4611e52f1b0a4112c3e23d5d7 SHA1: 617200df312225262435a3d9ea2e0288e85d106c SHA256: 5104cec486d5a51421d8f507629b0c402a5960615fca7992a4e5a17cdcdb4e4a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 2aedc6e5f1036aea641add1001f005d3 SHA1: 0dd063a557f7f09b66241cb1c259e24f22be5ddc SHA256: 16cd55a4064e88295dc22a8843e38dd3d17c2fc4a4450a999fb4cc053d301c37	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 014c3b50d6b6d29cbd19155c96d59b89 SHA1: 7e6febd29b1534d8ee218b1d5b4dabef46b429b2 SHA256: 51f2a0b1b8706151dbefb7eab35ec2984b95404e5edf5c2c28951c06f15f9320	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 59b5b47a93aa0952247df77b2e3e28d8 SHA1: 7d0429bfa91c4cfda934f319028fa3c772cf55cc SHA256: b5891762e85aa4ebfa3fc3500f06c0e34251bcd36076aaa3ccaa86aca7ae8ef2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ac8797e990a937c418cb0480528bb1ab SHA1: 8977ef14a54d3fef3179740c985608ee904ea740 SHA256: d0268a10122a9a39386bce0538ca942ad5ee88d00430f9a0939c886a3f2b4930	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: cd86678c5947d286edf177d3d35fd486 SHA1: 3f0e5b31a24308ef9e04414c1315c69116ece3be SHA256: 15546cee960168be0578b880e40b61f03d392d26e95ddb321dcc373099f0eda8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e0c57894673c14db77b5716666f5a410 SHA1: 0ee041cd18a675aa64c57a82048bb39144c6f5fc SHA256: f7108b96b4f7332ec472af01a850f550d41073b95bc5d287b8cf33585085df6a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 5cfdd119094aca8c8d3d7b2121a6979c SHA1: 5a2950ca90d25f9be40b574d7b9c7f6fd4e97920 SHA256: b227c340096bc91a9715fe7ea4f2853f5bc2c0f83e523889777cdae9367a2b25	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1efab8986915f8f7469c0efd9da5e50e SHA1: ea8cc36012e999606a7673f34e0fb5ff76ccaf76 SHA256: 2de4cda693fbd22311caf871c724526b19b7b763ab6869b9208c04210dc8c2e6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9c2ec6b248a6c888d5f1cddb5984c92a SHA1: c40e627483b0f88557135adf3564db7e8937e5ad SHA256: 33b3c30c7180ccee497871d9b634055d8eb7a20f87e602d61ae45d78a50fdf5a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 07ce24ea846aff536fd9e4700116a6e3 SHA1: e2c43707aa8f33dac8cc0c88d25e29be2e442a54 SHA256: 107722b4df2230907ba4aed3fc143047cbc27d0fbf16ac27ac9c3975f0a79404	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c4cddacfa4899921dd996f95a355dc73 SHA1: fa063383efd1c1d37e0146236494b23705ab2f90 SHA256: 2f801d95e8f5ed1de70bc91cc7c43804d050843f4e6746a4761f3e6cd7c940d0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8cbb30ccb23992b9c939dc915505183f SHA1: 8a93871f882bbad23e11d6727b6d923e81dcf60b SHA256: 46d2092bdacbccfc6269319d7dfed07528b20e56b7428e56b9d724b55ddff0d8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: af307d487e63a6e3bde288cf56a6ddd5 SHA1: c2167a7f67e889f8a830e3f576840fef19a34429 SHA256: e757e709780d2b5e0aa3049ebe3501f7babc28b2387de5d9012b80dcd947416d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 26b9207fbd0ce18d7262a631c85fb3fe SHA1: 2a6d749d0c2a19bc0de68718021455ff94f53ce1 SHA256: d1532a59dfca3f30c55bb31c4ecb7c0f672e7ab0c813f816f77a9e76e41ca46a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 90b637cab848a4523db02ff0d69e24db SHA1: 9f3a878a7825534f4605b20c0c2156f12b6b4f21 SHA256: e95492c11475735fd7c0b42a86d3ed82399865c2174d1e7ce10eba93b879ce0f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 40d31c19e6d1e1b7a0036d792e797afd SHA1: 5683e0fe9de79e0306aed8a7813b5641799041ce SHA256: 14646fcac260f3b1da5b6ab9599acb6290c375f8952e3cc8b358ff3820ee2f07	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8f8a94e5aaf3aaaab11e662f619a0bec SHA1: 5e39c59f6f2d524451aa315cf71b3c67e1417a47 SHA256: ff711a36730bb5706531d5689f77a4bbc5144a0d1a1cbd3842e8265894ec7cbb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e25912828c662b485a1a764370929281 SHA1: 94c80bfce1f463faf05fc7d4789bc48278a3aed0 SHA256: bf32c7912fafa3ec93b50da347a1846d8bacc7ae876ae49ca0a8fc6042c3cecf	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ad09c327d1cf219adc263d9b25b0db25 SHA1: 8f3ba761d924a9a057789cd73654cfbc3915543f SHA256: b48896928a1d59a4c61888180c20da9fc568dc717a09011f2a4647238adcb364	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 80e7c46b9787ccb34985196cbf7dea26 SHA1: 970c1d86396a4dbf9440e25ca90b0dbdcaf44a85 SHA256: 9bcec32676928a706037a9465c690152e55a32a8fdd79c2b8440fd98032aa9d8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1e9ec9ce60cae65a1dd67c729cfd8cf2 SHA1: 1bbf87af94474b302b9235e1ad5d8f8fa79383a8 SHA256: d838a70102a3719a69f6f68e26b71e0232d30e440605fb2b0d5afa1abceef6bb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9a2b3c432bac4d587010c37ebea29391 SHA1: 4dd7dda6671676a229661afe09e6d369278465ad SHA256: 6a85393ba91e3b9dcaf6cbc309b7a9ceb9027180bae065ff4db449049713d4f7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f69c5e3c61a515adbc451d0bc927b2a6 SHA1: 62f623acfb18f03b2715582940e6e42ba5898cb7 SHA256: 2c4001d6c4aafb813cd1a52b02ebec228763c2a09a3a7775968235da8d912286	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0eaca048bdef58a68f3c0264a93e2f4b SHA1: d84827f9156e3fda5b4d2dff406accbbd148e2ef SHA256: e983ff96fe5a9edce3d59ce3d08d459f012d7f2d89f175e5a10651d8087df4af	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 2587cdf46034e38451b8b3b21407783a SHA1: 7db34503fc04346d2c2aea4c552e29a568ca92cd SHA256: 089af6ac4715881558192e4da19e827e2224f2c06cb0675ca20002532a13992f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 146a056d27a5f2c59a58d145bd8c13c9 SHA1: 481b1428ccaaf8eb703c3918c641cbc6b397cb39 SHA256: 34dafa12d4c449dbcff2efeb16f4191b4fe2bc035c45ff0da00e75bf26f6867c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 14a765e58d9804875d47a6dc091d0de9 SHA1: 57c8f3343458fb70c9a0a134170e2991d0bdc4ef SHA256: efb538d5778b61cde9b3120a6c1f207d491e87039d47a42a9735be4b45b769ad	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b181eb822b49fba9e7b19874bf0655da SHA1: 4560525db504e973c141b8e348e6e3d7c1f27147 SHA256: 675b79ccebad9711b4449ba52a0631104f873e44c8e153ca7aea5c2e2f2d99e2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 04e9bd4de4459518c82ece610583405a SHA1: a5a62a9659012817b81749f895f9c79deb4ccf93 SHA256: 218a4edb833c409cf0286c9ea8dd9c15111251444a60c250d36e26573a0e8be1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6e9d1b595846ad143c6887565ff0fe46 SHA1: eb3fea9eed3aaa79fb32ea2eb00640def6b6a4ab SHA256: a79bd06930997e4e186f81a62361acfdb26fbf6c3c865fa5139a2315dc5f2106	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: dab028c0bc0a10d75b903a1087482b85 SHA1: acd0c416424d110ad87093d1e560776280887f1a SHA256: 354abcdfea65c072a52984f34655aa25756a22f1409f4483ba75976053737f11	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ea190f475373baf83dda4dffe46cb950 SHA1: 2d182d034938193e7031ce520a73c7938bfe153f SHA256: 7f9900d7e8806e0fea08bfe8872580baef1d3efa9747ac07a8dead66cb5a7dda	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ee8c27ad636cd7f6349876b2237eef0c SHA1: e17faeedd7ba723bf2abf0036e47cbf4d502c6b2 SHA256: 264ec7cc00e8d554c02ae906c4547d058cd5f8923b064397b38416d65f257660	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 49b3ba466c2544f04ccfbae43092a6da SHA1: 96e39173fc91d311c857fec0282ff2e719136e05 SHA256: 14d0427ceae6e3f556f08ad167e4b5e401f0be04daa8ed8ac0215e76ec79c66e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: c58a51073ab312c83bd9e4c8dfb9da77 SHA1: 945555a2a2f44e9ff7c645cbe42eb4dfd6a36ec8 SHA256: 54737eca2b9198ca2d846399c4c1a73d7483dbc02d2abcbe21057f6dbc716316	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 36405164d4480e819b47cd8dbacaa922 SHA1: f4816ca8987b2f7d17cf837e3ff936bc7fb7dc24 SHA256: 925a96866ee4ddf226f0d85ebf8269385c8b197615731eee679a4c525c00d9c2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 37a1515f4ff3fb3616f27aa4aea21c6a SHA1: e7e33f10525a13f7e39f9f4797ea746d49cd9451 SHA256: b9b8468eefba8e99f00f1b48a1135684eff6dbabb3aab352caae9ddba1a6016f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 56f2ebda893480cab93ac7b106a21d46 SHA1: c06375ab0c71d9f79255621692f3b6f2cd3d33dd SHA256: 9f23cfde7fac02d1137ce9dfa994e27f604ab2343095908aaaaf6d5465953004	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6f6a36eaf90e1faabbe04e7a9e54ea11 SHA1: 3251627b2169dd341b465f9df3677151b710e6d5 SHA256: 1fa4e2ec6a6a8338661ea8aa4d341c4fc977306bd4d24d42c54f68cc87c619cf	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d4a671e6c04990385f5cf13a5db92880 SHA1: e031994a090dc78c31bd5b5322c7ed2cf65cc24a SHA256: edf02c6182353f4b0fb8d4ac5dd73b55d677bb5dcfe9562d6a0df7cd8f16482e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d9d328bb97daad62b50c0ac1ba41ec5e SHA1: 957bc23f8deef009343d63abb81c7855159cf08b SHA256: c48b873a0d51a12a69471470f29799c1e66a20108ac7a8ea901306b236cfd142	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 962f1053352fb9bfffa20e1c42c75b51 SHA1: 1d16941b6d904c378cb1bdc294a371d77fbad5c7 SHA256: 5acd70af7768e16c7c27dc2cc555186a36e3d82cfbab61641f7aa29b7d751c24	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0ca81ece6f1814531cd41233e442a9ff SHA1: 80d30838b977c4f5acdfa7b5ba99ca75b2ee7c1c SHA256: a9d0e874301dc469ebe5980aa0d77f34aa41abaae2643ce5551860e5ca52dbcb	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9ad91579dd851697749dfa2cf3aea892 SHA1: defd6edfdeeb4d4dbccf0bdcdfd5084bf1a08f93 SHA256: e01bb9d0345daf1fe65ac4707894d34328dbd92c9faa45af53b9bd63963073d2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 82ed0c68bc60422381c9e5fa125910e0 SHA1: 66c243d1ebafc71167bc821b3707a041efc66be0 SHA256: 752b3fbe33fb73efdd7d1b246ebbe84d78395f446ae79c8a73867b0009a06b95	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9e3e9774c5d837095e59b7770396199a SHA1: 8d03d7c9c1edcc28d24d4846c58c4ded35410a34 SHA256: 32e75f5e200acad31ee2eb42c9fa7b031c74feee17047e6dd0d59c74e0c06e41	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 1b14289679181df5d8e561fcad127c93 SHA1: 9cf5157a474a6b145421f1403877d10ef9eaf5ed SHA256: 2f6edbcdd3faeeaca02869a72b24f0cdcf99a438253398bb9c963b44b7c20673	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 928a41b0926de1efb54efa02a5381bb5 SHA1: ab68284653f50d3c5bcff0afe9872cc2f479f333 SHA256: c15c8138a247884072138769f26b19933d028bdb9fc47945b07c5c24d59c7336	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 28325e3e130369877016e079288606ac SHA1: 75a35e2decba91be000f7739af2d753e78cba702 SHA256: 2927e6de3682d03cabde546b755adbbb72aa9467958815c82c1f4f3e7f58b642	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 9a413875cfcd4450fd235c06e44c98ff SHA1: 0a158e3ede963b794693a374bbb3a5df2c40b91a SHA256: 55aa076f56ba14188d2b379597ccc431a6cfaad7c56210f4dbb6bb09ecc630e8	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 685afefa49a37f87df6bf64889f88a85 SHA1: e4185237c601a3c90e0680bb521129f80d0349f2 SHA256: 4097bb0682054ebf24e4b6673e716c3e6f9803afa514ff205b3e532b55208cc1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6eb3daf34d237367eb40ecf73bab961a SHA1: 318092e1f593575f7ae9f13930e1cabc53e4178c SHA256: ee41416d53f68b0fac09cbe499259258bb1d3b8ffcaef2dd781de4ae6880473f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b6cdf8a0257dbc69915f287234e1cfac SHA1: 4709816178b373f54488b3a118cbbddc18a0eb72 SHA256: 9aba49a25654cc0842e9d164f0030662403aa4d6615b2f0bfb0808df62f7e82d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b71171b505dcc1b0140675afd0b1e9c1 SHA1: d33f1a084f73a12be4635c6114d86fc2960c8838 SHA256: 632aa3d87811f8444f10ac49581a2528cfccbcdc7ba5ed37e20396c8d77c8bfa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 557887f951026c19176c4a4c6867098a SHA1: 20d650492e43070db824e162694ecb2b304357d2 SHA256: 08caa4b078a03e4534c1ecc2a1b358c860e3a1abeeb792b7c1aa8baa078223dd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 7b1dd579d2145fedce1cb63d9d54780d SHA1: d08ba3c02b83585a6ca7bf4caa579334317a0d55 SHA256: 14cc38cfb98097c38ecf47fd5a035c79c38de4b87c3f1bdfec5f9781e35c67cf	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 496d6300a0eb642366ab58380a6ea6bf SHA1: 114b19f649151238bac279e804174441854f4b1e SHA256: 46abd8ace5d4b4814880f29cee2f90f8f394357a9d643fbaecbbb5f329e6899a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d0957692790dfe2696661052a1641d16 SHA1: 05a6100cebf02c49eaa3ff6d0a6398f978846cce SHA256: 625814443ecb384846b3bcc87a216443da79923bd6e41eb73ad46b0b0f63f363	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: ffca196605bda13dcdc3aa6082338cb4 SHA1: 3d8b00e51622bfff4143e49634fb7bffaa8441e8 SHA256: f4c1ac4fc39b92920e38c23d863810f651cef43cd98d82327f0afbfd33827ee2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: a6b790b4f599b697de18793c44407813 SHA1: 6ab66f809ab20507168816285fb84a95bcaaf87c SHA256: 3c8a3dfd989e8f66700fc29d977d833e137f35b536821b84d9e1e145f07a836f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f740d7694e836c1cf9486529cd0944d1 SHA1: 26b534d899964f789200192382f39224289691e8 SHA256: 82bf3f31a86e858f404ad0bdf1f1c4c43a40d606df29779904cd7058a9c0b93c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8dfcaaa9061cbab9ca9acdcb0d30a962 SHA1: a802d687a92b8f09c1a89a7ec6243fb26574baa2 SHA256: 3f15f1761f3ad613580a1d1dbddb78fad37e0f70376aff947e67c6e5371bac81	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3d990b42f0674990501c643e977c3ed3 SHA1: 6be4f219b12c0d3411c813c9856dac842b3f5a8a SHA256: 0599034ef63a6242277d404e01dc889d6e06f2b13e9d7f959eb3b7b8917e0a0f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 44446c4a5cde5259188e9cb083024bb1 SHA1: b0ec568cb6c9f2cbe52496c5d51ff4930764f814 SHA256: 20b2903530464f0c19ad9ab7cfb57198bd415eb1d1245bbdc893651bf07ea8c9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 620c08192f0a7d92694e95ddbd9b6e34 SHA1: 27e01a0c6f153a8758d6d832a5b6c000b7785a05 SHA256: 3fdebd2769a350d88cb64fa089df269c1412940cb75d823cc27f495407cfbbcd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 0e9a4c1490e2ec3e91ff48545251f127 SHA1: 557a6abdc35d07006966cf121da125657ecbbab8 SHA256: a6eac1d09ef5b671f74e7081e313174fed63707d21890aa669b399164f9413fd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3bf8c1cd5b846b4edd9ec4c795f2cd7a SHA1: 8d9966f9d54082875a6fc95603935b401ba6fb41 SHA256: aabf24c4d3ec9cb3b17be08f4b8f6d81d6601e6fa2302bd0a23d1b645af285e1	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 25b2750e41f3470001006ebd93190ad4 SHA1: 4bd48941a9e804274a8a5febebdd74947961d132 SHA256: 08e0736c74bfdf3f0c27ef2d1800651a46d763ce06d4c651452b4d1ee2699e4a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 2f8dae5cbdda3b0a33a6fdfd14ce476e SHA1: 2858ba3fce3fbbd1d388c6d92ca2fa0c15e44160 SHA256: 57dfac30c8fcdf36f5ccf299005c16f2e0d717e0518caee4ef4d17e16535b451	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d6b10b368c2e9cba8fe1e117d00d0df7 SHA1: bbbaa1287e45b217b56e6c4307eb6c4ab2cf9eaf SHA256: 950daa8a4f192e756c01238ea333193d9849fb90ba320ea95bc3629b49b8d98b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: d6ee7c0e3c429afc288a62808b07a89e SHA1: b79d16d33a13599715681194ec997e89a7824f8b SHA256: a77bd150df8ab741ec02133ed4ec90499fbecc8bd396b60e50da83ce1c542c95	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: fa6f52b53f435de6637d4f3753b0aff3 SHA1: ccb9b68610191f73a307d0aef5e347c98530540e SHA256: cb545d2419a8719e696ac48b797d828bb1fb88e0822004ffadc73fb902c4a5f9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 48bd39ad048523493f812351fffadb6e SHA1: 5042d0edc18ed83f3959b1f04d530bb0738e8205 SHA256: 81471dc045dfc193fd512ef80cf64d0828d98500d1a44b260b181c360e736b5e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 436f3a6fc73986dcd9d822dd9ca36f16 SHA1: 15024e4a4006e0facc753930b4f3de8dd3d1f4b8 SHA256: 458e7a12b90d7426212b0b0ddf8081c4fbbbf9c382e96e0372318b4c4d8e3cc2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 065fd54fd48181a0870f8c5d35f15a7a SHA1: 0cfe6b3c6d9fa22fc4e0f7feec899b54ec7850d2 SHA256: 0ce30343e06e13294587a627cef61c6e3c8579eb8ca384b6c6b829ebe694c2a7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 6259a355604397d11c9cee594b1fbdf2 SHA1: 36e3b1d50ab531b0173e2bf83a100b68d29f962f SHA256: e0e97c035e5d1fd20957776a7dee1d7185e1079feb9599f17318851e16349412	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 105badd269a7c2ffc80f1b44fc67e88d SHA1: 61b9b3fd2c1f526b586918fbd2bf2c39367a7170 SHA256: 4ded211cfcd5c62c7343fab522a5082a60847b4e7dbec3f8607cddab3f326578	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b263183e057b732a3b5f2c4ce8a706ec SHA1: 4249a66705107c6b9ae9cf7ed1e5a6495efb2d58 SHA256: 93e8c96bb4a8b7ee1702494dd7b386b93152fbb2628b37edf4091a2ac172ff3e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 84cbee530d5a261a9a1bb0f5052199e1 SHA1: a13ba4033f07cbf2eefaa672c11e87ae61292afc SHA256: 223e185d21e01d7598a9d4fc0c9227ba4ccb91a9f63df5f46857cae062c0f74e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 99f96b717523474be097fa05b2b81b36 SHA1: 2eae3ecac36af8ee6830b4fedfab584b2a71b6b7 SHA256: 80cd8de866fbec11e6ae6d657841401d7469b4aadb26c986d9886bb71efc969f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 55d69d4ab3c99c176f6f921a9dc5230a SHA1: 2c9c6afb882a7fda231069ed0cd7614875a65a32 SHA256: 8e30dc8a8e2c0574a903dbdc32061c742c995486a8a83e9ae1f30f38da2c66c3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: fb2a005799aaf9b3dc68efdb13e85206 SHA1: e5f0597b758b86cd8423a35d463ba376c623495c SHA256: b1826d98b95cec85546e23a7592acf034e83c5b6cec48c2e19da2bf6aff2df40	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: af99e9e3e38f169e532056b39ac208d6 SHA1: afdd2c58a8391ba766c8a7c94ee561dd9f038e40 SHA256: d4d8c49a047c2e59fe4985acc5ca283c1f5efdd69efe74b6d12fed8c0dee1006	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 59715a1d21fc28d6641f70e4ad44adc2 SHA1: 486ebcb64e4dae319a187ab7d1d8a68fface0e8e SHA256: 7713c21bfbbe7238e80883acc85f8389f2fd6fb48723891632283b076a12b35a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: efbcfc3e4733e9c6ac5cd4e645512aa5 SHA1: e0f8914fefef927d19f03ac584f7f5a290e1f1ea SHA256: b5ffefeab4a0e0aab793178ee455e063891e1beb430cc0eb45655bda091cc4da	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f8fa42e08dedba0e4b8f6b0868b6f152 SHA1: 73775a08f167293a7357a6ce9d53ba55936a094e SHA256: 7b300a382b9a6f9d2d2eb5df1c6aab2af805a6fbb0797edfe365a1c619a1bd9d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 544ccb9f9f0b83eea20dd312b3abbb28 SHA1: 5ee7791fc83e4c6fb56635277d36ec65d098013b SHA256: 09b84a153884323422fc22f4f95dac2566d606b676f23ef762122a05df4ad032	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 4eb3864df42b01bcd5fa7d1175e7c948 SHA1: 6dac849803cb1e45eee84f0363497e850524814b SHA256: 90cac6a6092127fab3d01d09d998a79ad2f36848fd1c47e913c0d37244fe795c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f1a486682c129d782bd66ac28c124323 SHA1: c674d18d8561c03a491b761b5a558930f7279430 SHA256: d94584c1d0285483aef2e261bcad0885f599fe55338dd10ffb6b308eaada9aab	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 34704874b8973be75ebc15fdd6b734e8 SHA1: 82535955f4ba92066c7a95572a6877ec5c4eb098 SHA256: e24a496b731be9280873e174218d7e91cc7f4d7e8fdadc86278f61e80f11f389	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 8047f9e908fae3185d5e65a304174087 SHA1: e00f5868459dd39c60860715243a0388fc2565b8 SHA256: 3ca686c824e2fe0cfe1444b0e6e5e2e4a38ea8aec20c20395dab4681b488ecc5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 307d4df7a3f276f7c19fdfb3429f24c8 SHA1: dd792d2fdb3f73c6a35a215818d58f54e827f63e SHA256: cd6fa5ab0339a9f573620551b52c1228e2ca9d07152dea81c1c61dcf53e5b1fc	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 642a46a839a27eb70d2319244a7ac3eb SHA1: 9b3669401567d488038cc0a8d6b571dac599f956 SHA256: 66ab22e9049760b3293c89a09ebea385c673c8bcae45f3f3eede66ce4e22cbd7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 99e999b468bacb9a22280768109017f3 SHA1: 96309dac05123dd54fc15d4c5632f54249c26234 SHA256: 5a6163e01bf4b4c7658fc5cff698e18ee7bf437e0338bd43c1d58ce551d4611d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 71e11f408044d50b85dd10e4d33e4425 SHA1: d907e0ab4f5c9de26870b08bd856ed6d28e23ba4 SHA256: 45aad9d3ad8bf5b79d7605dfc9f6aae7177b47ecb8bedbccd7f624d4469327a7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e12b225cc7dacfdd47cefef9d0eb3bc3 SHA1: 13b4d637441b0ac8066e0e65ea3057cd808848ba SHA256: 41fe426330c2da1a118773e33270108ae8a08638c416b13d464114a1bb11a6e0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: b6e45162a02c917fc653da37428823d4 SHA1: acfd571c1e048b94ab44b7e2db940dd82013c8cb SHA256: 38be2fe4583afed36aa3260d962fca50a89682fa53760c54a8c1b235c1f8069c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3064808363ed49100eb872c30cdc000d SHA1: c72c547e22a9377ab7ba35ad03c09b057b71553c SHA256: c2505ef2d0d8190307df6c52c029ca81967fc7144134077c4f1c223e164730f4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: f1d3150131f487362ca359ced1fae81b SHA1: 175fe8bc6c1cd03c76bbcb370918a09778758d89 SHA256: 8ceb35a7047b6239cbbc5b6eec9f777322129d87c9258f7535203563cce3c546	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e20abbd0f33c42e06691c9908c02fbb1 SHA1: 56056f8f9b5c3ab49c50bbb0b174b6124c73b57d SHA256: 541cc93cc3679af94fa1a23a9627a89a9dd9407f6e6a69dfcd19508fb6e48271	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 553e5c1501a8c231cca2e3db74db21e7 SHA1: 80b6fd6682c92346cf45fcee43986caa5a0bf9f4 SHA256: 9c7034bb1d4f9f45b343ed088849084eeec2d0467c7d391696bddfec9222ff77	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: 3447a58cb842436fefa56de3aea493b3 SHA1: 0df500b09931d824ee6300d873fe28f18fb85471 SHA256: 6c57e7de709a0c2c0ac7f117bb351a32b5bf5896be84a0ccc1f4d6865fcf36d7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f	1.40 KB (1429 bytes)	MD5: e206ee6181e318c5bcf4a72f7b3837d4 SHA1: 26debb0ca7f010cc966e66834a3cae8706df73ec SHA256: 80474fec8a059123ecf16cbd9dcefaabbd58a5f9508561c02fdf00bc969c38d6	File Actions Show Properties Download

Threads

Thread 0x9c8

(Host: 3276, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:08 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79342	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76a34f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76a31252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76a34208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76a3359f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76a34a2d	1	Fn
Window	Set Attribute	index = 18446744073709551612, new_long = 0	1	Fn
COM	Create	interface = 00000112-0000-0000-C000-000000000046, cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = Class not registered	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Handle	module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, base_address = 0x55820000	1	Fn
Window	Create	window_name = Press, class_name = BUTTON, wndproc_parameter = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
For performance reasons, the remaining 901 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0xbf0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbf4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\BOOTSECT.BAK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\BOOTSECT.BAK, size = 8192, size_out = 8192	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 8192	1	Fn Data
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\B0AD3AB92537B4FBFE37930729309943.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 0, type = REG_NONE	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\BOOTSECT.BAK	1	Fn
File	Delete	filename = \\?\C:\BOOTSECT.BAK	1	Fn

Thread 0xbf8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbfc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x804

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
Module	Unmap	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe	1	Fn
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\boot.sdi, destination_filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\6B2DB7FF0F9811B2CFADC1531390F5FA.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 2, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0x814

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
Module	Unmap	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe	1	Fn
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\Winre.wim, destination_filename = \\?\C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\8515860F00F2A87F630C5931054D8CC7.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 5, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0x824

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\desktop.ini, size = 174, size_out = 174	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 174	1	Fn Data
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\D2D9507033A5E4DB82B20D90383EC923.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 2, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\desktop.ini	1	Fn

Thread 0x834

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x3fc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x7ec

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x844

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x888

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x89c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x868

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini, size = 20, size_out = 20	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\97978E0428D9BCBB43314AFC2CD2A103.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 4, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini	1	Fn

Thread 0x864

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact, size = 1178, size_out = 1178	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 1178	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8DFF43342C68841C83BDE75D30616864.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 5, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 6, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact	1	Fn

Thread 0x250

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact, size = 68382, size_out = 68382	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 68382	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\FD82D02831F226B04645120F361F0AF8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 6, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 7, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact	1	Fn

Thread 0x624

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact, size = 1171, size_out = 1171	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 1171	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\3180D48C036A6FAAA02E258A076353F2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 7, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 8, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact	1	Fn

Thread 0x63c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact, size = 1177, size_out = 1177	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 1177	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\278D60903B72BF40F401616C3FAFA388.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 8, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 9, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact	1	Fn

Thread 0x700

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini, size = 412, size_out = 412	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 412	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\63AB35AD17277526536F22E31B54596E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 10, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\desktop.ini	1	Fn

Thread 0x5d8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact, size = 1174, size_out = 1174	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 1174	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\8C424C551A76D4366F1622171E8EB87E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 10, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 11, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact	1	Fn

Thread 0x5f8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact, size = 1172, size_out = 1172	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 1172	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\4C9E88000CB6CC7042EF328010E3B0B8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 11, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 12, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact	1	Fn

Thread 0x550

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4geU.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4geU.pptx, size = 19933, size_out = 19933	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 19933	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BE3510781871306D58A0B1081C6A14B5.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 12, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 13, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4geU.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4geU.pptx	1	Fn

Thread 0x72c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5MzXbIREhTTTaeobss.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5MzXbIREhTTTaeobss.pptx, size = 62064, size_out = 62064	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 62064	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2FFB243E16646FF464F688111A91543C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 13, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 14, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5MzXbIREhTTTaeobss.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5MzXbIREhTTTaeobss.pptx	1	Fn

Thread 0x43c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8HoT4SPBYbm.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8HoT4SPBYbm.xlsx, size = 82469, size_out = 82469	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 82469	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B34C34B41EC5682F9CB9477C22BE4C77.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 14, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 15, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8HoT4SPBYbm.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8HoT4SPBYbm.xlsx	1	Fn

Thread 0x260

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8njS1by2_oecbNC P4zy.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8njS1by2_oecbNC P4zy.pptx, size = 83974, size_out = 83974	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 83974	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 50	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\96E8BC382A82756A96F374BC2E7B59B2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 15, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 16, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8njS1by2_oecbNC P4zy.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8njS1by2_oecbNC P4zy.pptx	1	Fn

Thread 0x850

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9sRvP5V9AccV.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9sRvP5V9AccV.ods, size = 34600, size_out = 34600	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 34600	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\A9467A821967F20598E66B961D60D64D.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 16, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 17, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9sRvP5V9AccV.ods	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9sRvP5V9AccV.ods	1	Fn

Thread 0x6f0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ASEJIISwQeKimcHMn.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ASEJIISwQeKimcHMn.xlsx, size = 45568, size_out = 45568	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 45568	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D8B4FBC032E124E029E6603236DA0928.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 17, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 18, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ASEJIISwQeKimcHMn.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ASEJIISwQeKimcHMn.xlsx	1	Fn

Thread 0x5dc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B92naCEgJ.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B92naCEgJ.docx, size = 58753, size_out = 58753	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 58753	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AF137D37318F929FC9EC733B358876E7.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 18, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 19, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B92naCEgJ.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B92naCEgJ.docx	1	Fn

Thread 0x660

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\de6NX.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\de6NX.xlsx, size = 58634, size_out = 58634	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 58634	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\E1CB2DE23002B20E4903A282342F9656.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 19, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 20, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\de6NX.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\de6NX.xlsx	1	Fn

Thread 0x8d0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini, size = 402, size_out = 402	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 402	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5A5E8816436ABA61C7EC8F1A47A79EA9.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 20, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 21, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\desktop.ini	1	Fn

Thread 0x8d4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dKWKVTxHxijfZD_dSm_.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dKWKVTxHxijfZD_dSm_.xlsx, size = 43699, size_out = 43699	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 43699	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4CA2A3B835A9C9D86061764339F6AE20.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 21, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 22, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dKWKVTxHxijfZD_dSm_.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dKWKVTxHxijfZD_dSm_.xlsx	1	Fn

Thread 0x3a8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dsL8WL.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dsL8WL.docx, size = 66465, size_out = 66465	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 66465	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D4132CC416066089C413F0DC1A1E44D1.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 23, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 24, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dsL8WL.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\dsL8WL.docx	1	Fn

Thread 0x7b0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e5mivlGcxa-nNKp.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e5mivlGcxa-nNKp.docx, size = 41145, size_out = 41145	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 41145	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7E0556C23257A27A640F901F368486C2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 22, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 23, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e5mivlGcxa-nNKp.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\e5mivlGcxa-nNKp.docx	1	Fn

Thread 0x794

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\eL7YHoCZexIT pMk.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\eL7YHoCZexIT pMk.docx, size = 1783, size_out = 1783	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 1783	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B8F78CE2222013C8FF50021B265CF810.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 24, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 25, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\eL7YHoCZexIT pMk.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\eL7YHoCZexIT pMk.docx	1	Fn

Thread 0x57c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EtzbOnPY1PmFQ.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EtzbOnPY1PmFQ.rtf, size = 66055, size_out = 66055	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 66055	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2F2EBAD63A6E51CF01E49D9E3E863617.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 25, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 26, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EtzbOnPY1PmFQ.rtf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EtzbOnPY1PmFQ.rtf	1	Fn

Thread 0x608

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\PJ8NaDyMfjtJM01lTM.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\PJ8NaDyMfjtJM01lTM.xlsx, size = 6597, size_out = 6597	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 6597	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5F3F59042CD153CCC290441930FE3814.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 26, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 27, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\PJ8NaDyMfjtJM01lTM.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\PJ8NaDyMfjtJM01lTM.xlsx	1	Fn

Thread 0x530

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uGN1arUrfzZMomzHA.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uGN1arUrfzZMomzHA.pptx, size = 85604, size_out = 85604	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 85604	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\D7DDFDC32CF119C87B5BFA373108FE10.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 27, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 28, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uGN1arUrfzZMomzHA.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uGN1arUrfzZMomzHA.pptx	1	Fn

Thread 0x8dc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\X2tQqTNWjx7lgtPo5htj.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\X2tQqTNWjx7lgtPo5htj.pptx, size = 96420, size_out = 96420	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 96420	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 50	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BB3CCCBC286641FC324D4A8B2C932644.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 28, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 29, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\X2tQqTNWjx7lgtPo5htj.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\X2tQqTNWjx7lgtPo5htj.pptx	1	Fn

Thread 0x8d8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_oHxelCBmJ.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_oHxelCBmJ.docx, size = 83682, size_out = 83682	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 83682	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\38AA9E1F3FE71932FADE96E143FEFD7A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 31, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 32, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_oHxelCBmJ.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_oHxelCBmJ.docx	1	Fn

Thread 0x8a8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_P_aT.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_P_aT.odt, size = 15849, size_out = 15849	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 15849	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\B0407B59334CDCAF9E2CA2E33779C0F7.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 29, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 30, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_P_aT.odt	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_P_aT.odt	1	Fn

Thread 0x328

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\-tHIa9_.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\-tHIa9_.xls, size = 80789, size_out = 80789	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 80789	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\EE9B10B00F697CE4836159F013D6612C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 30, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 31, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\-tHIa9_.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\-tHIa9_.xls	1	Fn

Thread 0x218

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\Gg8kaToejw.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\Gg8kaToejw.xls, size = 23748, size_out = 23748	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 23748	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\8441A0B23FA9B9126D832A0D43D69D5A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 32, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 33, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\Gg8kaToejw.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\Gg8kaToejw.xls	1	Fn

Thread 0x540

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\JDjp8wKsx5Dz.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\JDjp8wKsx5Dz.ots, size = 31485, size_out = 31485	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 31485	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\240D5DC448CDCC4A47DE5EDE4CE5B092.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 33, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 34, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\JDjp8wKsx5Dz.ots	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\JDjp8wKsx5Dz.ots	1	Fn

Thread 0x910

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\KtwKDD9P56tzPTxgwQR.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\KtwKDD9P56tzPTxgwQR.ods, size = 26774, size_out = 26774	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 26774	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\2525214410F7DA278BE33B7C150FBE6F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 34, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 35, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\KtwKDD9P56tzPTxgwQR.ods	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\KtwKDD9P56tzPTxgwQR.ods	1	Fn

Thread 0x91c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\mPKKZqdrZkc7.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\mPKKZqdrZkc7.pdf, size = 42795, size_out = 42795	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 42795	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\B4A323B51740B3FD1D50DD1D1B6D9845.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 35, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 36, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\mPKKZqdrZkc7.pdf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\mPKKZqdrZkc7.pdf	1	Fn

Thread 0x908

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\NMqv0Yc9MO55X.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\NMqv0Yc9MO55X.xls, size = 33163, size_out = 33163	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 33163	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\A0DC431228DE1E088FD30DB72CF60250.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 36, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 37, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\NMqv0Yc9MO55X.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\NMqv0Yc9MO55X.xls	1	Fn

Thread 0x8f4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\QRg3dKar.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\QRg3dKar.odp, size = 28406, size_out = 28406	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 28406	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\4718805A3B556C301085A1313FC25078.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 37, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 38, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\QRg3dKar.odp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\QRg3dKar.odp	1	Fn

Thread 0x60c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\vqWzW8a_K.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\vqWzW8a_K.doc, size = 9517, size_out = 9517	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 9517	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\3D3271B13FFA5012E003EAB54427345A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 38, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 39, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\vqWzW8a_K.doc	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\vqWzW8a_K.doc	1	Fn

Thread 0x8ec

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\YYzgnphG.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\YYzgnphG.csv, size = 101917, size_out = 101917	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 101917	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\1B49D0D52A00521DE10DAFA32E183665.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 39, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 40, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\YYzgnphG.csv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\YYzgnphG.csv	1	Fn

Thread 0x744

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\8uRJm.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\8uRJm.csv, size = 59775, size_out = 59775	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 59775	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\069C108614226DDA8ED0A1A1188F5222.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 40, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 41, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\8uRJm.csv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\8uRJm.csv	1	Fn

Thread 0x8e8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\dUnN.ppt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\dUnN.ppt, size = 92488, size_out = 92488	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 92488	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E47D77FB28AD6F18CEB95D752CDA5360.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 41, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 42, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\dUnN.ppt	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\dUnN.ppt	1	Fn

Thread 0x8e4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\DyX3zmFDQ.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\DyX3zmFDQ.pps, size = 98411, size_out = 98411	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 98411	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\3D2178A332ED6F4701E92E353705538F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 42, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 43, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\DyX3zmFDQ.pps	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\DyX3zmFDQ.pps	1	Fn

Thread 0x950

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\Kv3rt4CpuhTFQ.pptx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\Kv3rt4CpuhTFQ.pptx, size = 88716, size_out = 88716	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 88716	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\9345D86A0F87DA84ADA8003E13B4BECC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 43, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 44, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\Kv3rt4CpuhTFQ.pptx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\Kv3rt4CpuhTFQ.pptx	1	Fn

Thread 0x95c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\WHrA_.docx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\WHrA_.docx, size = 4377, size_out = 4377	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 4377	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\A216BEA01542C25C94FD01F0195AA6A4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 44, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 45, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\WHrA_.docx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\WHrA_.docx	1	Fn

Thread 0x968

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\YtaJJRAGe.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\YtaJJRAGe.rtf, size = 61233, size_out = 61233	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 61233	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\E85C7261086E23DEDFC379D70C9B0826.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 45, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 46, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\YtaJJRAGe.rtf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\YtaJJRAGe.rtf	1	Fn

Thread 0x984

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\ZjfGK_.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\ZjfGK_.odt, size = 69528, size_out = 69528	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 69528	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\33820CBD02F4B0D349B807FF070C951B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 46, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 47, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\ZjfGK_.odt	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\IkpxUp8UshIgHl1\ZjfGK_.odt	1	Fn

Thread 0x9a0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\hcLzjn0RCFG.odp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\hcLzjn0RCFG.odp, size = 34260, size_out = 34260	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 34260	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\632A4073379A2FDC09389DEB3BC71424.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 47, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 48, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\hcLzjn0RCFG.odp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\hcLzjn0RCFG.odp	1	Fn

Thread 0x940

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\IcF1qMW8Ow.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\IcF1qMW8Ow.doc, size = 92642, size_out = 92642	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 92642	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\6B01EA683DC5F7920A3C155C41DDDBDA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 48, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 49, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\IcF1qMW8Ow.doc	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\IcF1qMW8Ow.doc	1	Fn

Thread 0x92c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\Ld7trnreSqi.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\Ld7trnreSqi.doc, size = 4281, size_out = 4281	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 4281	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\5154BE9C1011AFD27B96A6C6143E941A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 49, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 50, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\Ld7trnreSqi.doc	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\Ld7trnreSqi.doc	1	Fn

Thread 0x99c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\nmyti-BLd1o.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\nmyti-BLd1o.xlsx, size = 86061, size_out = 86061	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 86061	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\F8F047460EB3954ECCCBC0D612CB7996.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 50, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 51, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\nmyti-BLd1o.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\nmyti-BLd1o.xlsx	1	Fn

Thread 0x934

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\qOmkS_BDD92-oYj.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\qOmkS_BDD92-oYj.xls, size = 41640, size_out = 41640	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 41640	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\E3E55C1830B142FC6C2B225E34DE2744.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 51, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 52, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\qOmkS_BDD92-oYj.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\qOmkS_BDD92-oYj.xls	1	Fn

Thread 0x930

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\seND1DmmOud5.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\seND1DmmOud5.xls, size = 45740, size_out = 45740	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 45740	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\73C0D9902A7964C0808D031B2E914908.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 52, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 53, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\seND1DmmOud5.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\seND1DmmOud5.xls	1	Fn

Thread 0x8f0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\tKsxqcE.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\tKsxqcE.csv, size = 52361, size_out = 52361	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 52361	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\0FE24CF432281F2497377D743655036C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 53, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 54, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\tKsxqcE.csv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\tKsxqcE.csv	1	Fn

Thread 0x900

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\xlbxUnchVTGwsFtof.doc, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\xlbxUnchVTGwsFtof.doc, size = 86335, size_out = 86335	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 86335	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\7D60B7A8152CECB0B780C8B61944D0F8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 54, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 55, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\xlbxUnchVTGwsFtof.doc	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\xlbxUnchVTGwsFtof.doc	1	Fn

Thread 0x8e0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\ZN_ n.ots, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\ZN_ n.ots, size = 52949, size_out = 52949	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 52949	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\DE6D908A0693B67D2F37324A0AAB9AC5.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 55, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 56, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\ZN_ n.ots	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\ZN_ n.ots	1	Fn

Thread 0x928

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\zRPN8xkNuY7pBA7JA.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\zRPN8xkNuY7pBA7JA.csv, size = 23083, size_out = 23083	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 23083	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\4CDE900F0BC30BB32AB81EE70FDAEFFB.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 56, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 57, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\zRPN8xkNuY7pBA7JA.csv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\lhhNd9leW5xmlXw00JFa\ZW28zqHzfxAY2NV\zRPN8xkNuY7pBA7JA.csv	1	Fn

Thread 0x938

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini, size = 216, size_out = 216	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 216	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\BF7B86490294F06B45AC44D706ACD4B3.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 57, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 58, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\desktop.ini	1	Fn

Thread 0x944

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, protection = PAGE_READWRITE, maximum_size = 0		1	Fn

Thread 0x998

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico, size = 29926, size_out = 29926	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 29926	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\7B7BA3C4205941180FE9457124712560.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 58, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 59, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico	1	Fn

Thread 0x94c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst, size = 271360, size_out = 271360	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 271360	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\7BA753503E40D4C00F297B124258B908.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 59, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 60, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst	1	Fn

Thread 0x954

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini, size = 282, size_out = 282	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 282	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\4645E01C4F3CCEC4EA018E655354B30C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 60, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 61, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Downloads\desktop.ini	1	Fn

Thread 0x924

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini, size = 402, size_out = 402	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 402	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\72A6C9432269CCE1A510518B2681B129.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 61, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 62, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\desktop.ini	1	Fn

Thread 0x994

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini, size = 80, size_out = 80	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 80	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\8E5ECE9444DBAF1A59BC413E48F39362.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 62, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 63, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\desktop.ini	1	Fn

Thread 0x990

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url, size = 236, size_out = 236	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 236	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\B8440918056E9F026EA48C8C0986834A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 63, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 64, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url	1	Fn

Thread 0x98c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url, size = 226, size_out = 226	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 226	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\15DC3754190A8EA84ED7A99B1D2272F0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 65, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url	1	Fn

Thread 0x980

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1B49B9E018F35807975DC8201D0B3C4F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 65, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 66, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url	1	Fn

Thread 0x9c0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 56	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\FD9030E848C62D90344A51E94CDE11D8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 66, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 67, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url	1	Fn

Thread 0x8f8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\30FEF3B4011ABE0E503ED66C0532A256.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 67, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 68, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url	1	Fn

Thread 0x914

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\B2A8C78F28F146042377D2FD2D1E2A4C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 68, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 69, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url	1	Fn

Thread 0x920

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url, size = 134, size_out = 134	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 134	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\1844FE2A092A01627C9EB5E50D41E5AA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 69, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 70, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url	1	Fn

Thread 0x380

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\833DF956476C97EAEAF8AD0B4B847C32.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 70, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 71, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url	1	Fn

Thread 0x884

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\13771DB6235C0ADD78BD03922773EF25.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 71, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 72, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url	1	Fn

Thread 0x9f8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\8F3B67D5108CB69FDD5C15D914B99AE7.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 72, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 73, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url	1	Fn

Thread 0x880

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\94764F5B3C2DC73EAED48D494045AB86.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 73, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 74, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url	1	Fn

Thread 0x878

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 14	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\583CA788134302604AF8FA2E175AE6A8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 74, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 75, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url	1	Fn

Thread 0x87c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\880F5E93248AC126C0E08BB728B7A56E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 75, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 76, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url	1	Fn

Thread 0x88c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\9AA1DB0A3E2DB1949E51C4AE424595DC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 76, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 77, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url	1	Fn

Thread 0x870

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\D9B986602FBC15FEC37446303428FA46.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 77, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 78, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url	1	Fn

Thread 0xa30

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\FD9D491315D8C1EEE26AF31719F0A636.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 78, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 79, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url	1	Fn

Thread 0xa40

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url, size = 133, size_out = 133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\A58916D017654CD0CF379F2B1B923118.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 79, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 80, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url	1	Fn

Thread 0xa74

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini, size = 580, size_out = 580	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 580	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\AFA4CBC047178B40A7E7AA8D4B2F6F88.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 80, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 81, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\desktop.ini	1	Fn

Thread 0xaa4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk, size = 929, size_out = 929	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 929	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\61C67744188385C0EADA50E91CF06A08.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 84, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 85, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Downloads.lnk	1	Fn

Thread 0xab0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk, size = 363, size_out = 363	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 363	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\02D36BF7229FBF1A2D198367271CA362.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 81, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 82, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\RecentPlaces.lnk	1	Fn

Thread 0xaf4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\11DaFVcd U6Q75nbu_.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\11DaFVcd U6Q75nbu_.wav, size = 9130, size_out = 9130	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 9130	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\95567F6E0CF2434A8F3CB62A111F2792.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 82, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 83, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\11DaFVcd U6Q75nbu_.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\11DaFVcd U6Q75nbu_.wav	1	Fn

Thread 0x638

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\8YglZU.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\8YglZU.wav, size = 25334, size_out = 25334	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 25334	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\D25EF7C41A27D9E43EBB395A1EBABE2C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 83, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 84, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\8YglZU.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\8YglZU.wav	1	Fn

Thread 0xb24

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Ae42UeoE.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Ae42UeoE.wav, size = 4469, size_out = 4469	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 4469	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FCD862501902E584E01CEFE81DABC9CC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 85, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 86, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Ae42UeoE.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Ae42UeoE.wav	1	Fn

Thread 0x97c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini, size = 504, size_out = 504	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 504	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\5EF7279E2ED18E2582C79CC632E9726D.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 86, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 87, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\desktop.ini	1	Fn

Thread 0xb10

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\ImbzlHSAeRD0mYdABk.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\ImbzlHSAeRD0mYdABk.mp3, size = 76583, size_out = 76583	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 76583	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\129DFDC608A49A7CBFF35CF70D217EC4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 87, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 88, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\ImbzlHSAeRD0mYdABk.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\ImbzlHSAeRD0mYdABk.mp3	1	Fn

Thread 0xae8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\JKoqX.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\JKoqX.wav, size = 65745, size_out = 65745	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 65745	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\35A8A5603BE70712A81D33D040A3EB5A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 88, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 89, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\JKoqX.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\JKoqX.wav	1	Fn

Thread 0xb4c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\yV_ r.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\yV_ r.m4a, size = 16111, size_out = 16111	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 16111	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\3DAB40862FBD462437E5810B348A2A6C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 90, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 91, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\yV_ r.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\yV_ r.m4a	1	Fn

Thread 0xb1c

(Host: 25, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, size = 95737, size_out = 95737	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 95737	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\70CB960A1797B0A14EB31B321C2694E9.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 91, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 92, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a	2	Fn

Thread 0xb08

(Host: 25, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, size = 95737, size_out = 95737	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 95737	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\FAD3BB6308C4FC66694F337D0D31E0AE.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 93, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 94, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a	2	Fn

Thread 0xb44

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a, size = 95737, size_out = 95737	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 95737	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\B169CAD546C877A0159FDF7F4B675BE8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 89, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 90, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z9ycP6znphCfb.m4a	1	Fn

Thread 0xae0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a, size = 83288, size_out = 83288	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 83288	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\51A5A3C031894064FCB3CED0366624AC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 92, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 93, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a	1	Fn

Thread 0xb48

(Host: 25, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a, size = 83288, size_out = 83288	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 83288	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\C8E8BDDC263509ECACA7C0D62A50EE34.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 94, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 95, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6Fs5O-wZK5i.m4a	2	Fn

Thread 0xb38

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9tkObc3F16FjSYiAwFD.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9tkObc3F16FjSYiAwFD.wav, size = 91200, size_out = 91200	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 91200	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\EED603F80D860CC870D6498A119DF110.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 95, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 96, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9tkObc3F16FjSYiAwFD.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9tkObc3F16FjSYiAwFD.wav	1	Fn

Thread 0xb58

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\aF_IB.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\aF_IB.m4a, size = 15812, size_out = 15812	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 15812	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\1037641408F8F044B7533AA10D10D48C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 96, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 97, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\aF_IB.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\aF_IB.m4a	1	Fn

Thread 0xb2c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\jEamZMQ.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\jEamZMQ.mp3, size = 52568, size_out = 52568	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 52568	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\B5A4F8D81D2BC280A6FB77022143A6C8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 97, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 98, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\jEamZMQ.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\jEamZMQ.mp3	1	Fn

Thread 0xb5c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\JO1Lf.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\JO1Lf.m4a, size = 82338, size_out = 82338	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 82338	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\A191878831212978B3B60CE1354E0DC0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 98, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 99, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\JO1Lf.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\JO1Lf.m4a	1	Fn

Thread 0xab4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\oKJQx_NM6hXc.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\oKJQx_NM6hXc.mp3, size = 55238, size_out = 55238	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 55238	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\6D35692C49D86B1ADE80FADA4DF04F62.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 99, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 100, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\oKJQx_NM6hXc.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\oKJQx_NM6hXc.mp3	1	Fn

Thread 0xa2c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\TWlZw1pNzI1gwZW3OH.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\TWlZw1pNzI1gwZW3OH.mp3, size = 1178, size_out = 1178	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 1178	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\E003588E3DA0B59DC1493EC641B899E5.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 100, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 101, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\TWlZw1pNzI1gwZW3OH.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\TWlZw1pNzI1gwZW3OH.mp3	1	Fn

Thread 0xb78

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\UazSw8R1r.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\UazSw8R1r.wav, size = 84111, size_out = 84111	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 84111	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\54E892FC383D1FA0EE2D03953C6A03E8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 101, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 102, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\UazSw8R1r.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\UazSw8R1r.wav	1	Fn

Thread 0x978

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\X7t8w3.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\X7t8w3.m4a, size = 37954, size_out = 37954	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7720e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 37954	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7722779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\23947E243409DC7CAF2C62063821C0C4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 102, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 103, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76a389b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\X7t8w3.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\X7t8w3.m4a	1	Fn

Thread 0x9bc

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav, size = 91071, size_out = 91071		1	Fn Data

Thread 0xa58

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a, size = 31101, size_out = 31101		1	Fn Data

Process #2: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop VVS
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa1c
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A20

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003e0000	0x003e0000	0x004dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000650000	0x00650000	0x0065ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00970fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x01d7ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d80000	0x01d80000	0x020c2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x020d0000	0x0239efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa20

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83179	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xb04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000424	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #3: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop wscsvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa28
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x001f0000	0x00256fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000480000	0x00480000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001db0000	0x01db0000	0x020f2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02100000	0x023cefff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa2c

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83101	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xae4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000426	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #4: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop WinDefend
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa44
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A48

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003d0000	0x003d0000	0x0044ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001db0000	0x01db0000	0x020f2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02100000	0x023cefff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa48

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83522	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xb28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000426	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #5: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop wuauserv
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa64
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A68

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000130000	0x00130000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000004e0000	0x004e0000	0x004effff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x01c0ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c10000	0x01c10000	0x01f52fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01f60000	0x0222efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa68

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83210	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xad4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000426	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #6: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop BITS
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa78
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A7C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000240000	0x00240000	0x002bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x003d0000	0x00436fff	Memory Mapped File	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x01ceffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001cf0000	0x01cf0000	0x02032fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02040000	0x0230efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa7c

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83117	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000426	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #7: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop ERSvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xa94
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A98

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005a0000	0x005a0000	0x00727fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x008b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008c0000	0x008c0000	0x01cbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001cc0000	0x01cc0000	0x02002fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02010000	0x022defff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xa98

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83616	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xb34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000424	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #8: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C sc stop WerSvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xaa8
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AAC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000340000	0x00340000	0x004c7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000520000	0x00520000	0x0059ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005a0000	0x005a0000	0x00720fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000780000	0x00780000	0x0087ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000880000	0x00880000	0x01c7ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c80000	0x01c80000	0x01fc2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01fd0000	0x0229efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74c80000	0x74c86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xaac

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83990	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xb50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000426	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #9: sc.exe

(Host: 9, Network: 0)

Information	Value
ID	#9
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop wuauserv
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xad4
Parent PID	0xa64 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AD8 0x B70

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
sc.exe.mui	0x000c0000	0x000cffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x00310000	0x003cffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xad8

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84193	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = wuauserv	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data

Process #10: sc.exe

(Host: 9, Network: 0)

Information	Value
ID	#10
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop BITS
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xadc
Parent PID	0xa78 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AE0 0x B48

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
sc.exe.mui	0x00080000	0x0008ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000120000	0x00120000	0x0015ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
kernelbase.dll.mui	0x00200000	0x002bffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000310000	0x00310000	0x0038ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000510000	0x00510000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xae0

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83756	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = BITS	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data

Process #11: sc.exe

(Host: 9, Network: 0)

Information	Value
ID	#11
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop wscsvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xae4
Parent PID	0xa28 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AE8 0x B4C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe.mui	0x00170000	0x0017ffff	Memory Mapped File	Readable, Writable	Region Actions
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x003f0000	0x004affff	Memory Mapped File	Readable, Writable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xae8

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83772	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = wscsvc	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data

Process #12: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#12
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xaec
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AF0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000450000	0x00450000	0x004cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000840000	0x00840000	0x0084ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000850000	0x00850000	0x009d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009e0000	0x009e0000	0x00b60fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000b70000	0x00b70000	0x01f6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f70000	0x01f70000	0x022b2fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x73fa0000	0x73fa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xaf0

(Host: 51, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84490	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
File	Get Info	filename = vssadmin.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #13: sc.exe

(Host: 8, Network: 0)

Information	Value
ID	#13
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop VVS
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:01

OS Process Information

Information	Value
PID	0xb04
Parent PID	0xa1c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B08 0x B44

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
sc.exe.mui	0x00140000	0x0014ffff	Memory Mapped File	Readable, Writable	Region Actions
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x00250000	0x0030ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000004b0000	0x004b0000	0x005affff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb08

(Host: 8, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83912	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data

Process #14: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#14
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:21, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xb14
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000340000	0x00340000	0x0043ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005e0000	0x005e0000	0x0065ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x008fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000900000	0x00900000	0x00a80fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a90000	0x00a90000	0x01e8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001e90000	0x01e90000	0x021d2fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x73fa0000	0x73fa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb18

(Host: 48, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84505	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 98	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #15: sc.exe

(Host: 9, Network: 0)

Information	Value
ID	#15
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop WinDefend
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:21, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xb28
Parent PID	0xa44 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B2C 0x B5C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
sc.exe.mui	0x00080000	0x0008ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000120000	0x00120000	0x0015ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x00370000	0x0042ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb2c

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84131	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = WinDefend	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data

Process #16: sc.exe

(Host: 8, Network: 0)

Information	Value
ID	#16
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop ERSvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:21, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xb34
Parent PID	0xa94 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B38 0x B58

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
sc.exe.mui	0x00080000	0x0008ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002c0000	0x002c0000	0x002fffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x00300000	0x003bffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x0054ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000720000	0x00720000	0x0081ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb38

(Host: 8, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84100	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data

Process #17: sc.exe

(Host: 9, Network: 0)

Information	Value
ID	#17
File Name	c:\windows\syswow64\sc.exe
Command Line	sc stop WerSvc
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:21, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xb50
Parent PID	0xaa8 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B54 0x B74

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
sc.exe.mui	0x00080000	0x0008ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
sc.exe	0x00180000	0x0018bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000260000	0x00260000	0x002dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x00450000	0x0050ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb54

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84302	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\sc.exe, base_address = 0x180000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Control	service_name = WerSvc	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data

Process #18: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#18
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:21, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:04:00

OS Process Information

Information	Value
PID	0xb68
Parent PID	0x9c4 (c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B6C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x0063ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000008e0000	0x008e0000	0x01cdffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ce0000	0x01ce0000	0x02022fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a510000	0x4a55bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x73fa0000	0x73fa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb6c

(Host: 48, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:02:13 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84614	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a510000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76a4a84f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76a20000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76a53b92	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a34a5d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76a4a79d	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 98	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #19: vssadmin.exe

Information	Value
ID	#19
File Name	c:\windows\syswow64\vssadmin.exe
Command Line	vssadmin.exe Delete Shadows /All /Quiet
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:22, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:03:59
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xb98
Parent PID	0xaec (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000101a7 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B9C 0x BAC 0x BB0 0x BB4 0x BB8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
vssadmin.exe.mui	0x00080000	0x0008cfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable	Region Actions Download Dump
vssadmin.exe	0x00380000	0x0039efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000003e0000	0x003e0000	0x004dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004e0000	0x004e0000	0x00667fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006c0000	0x006c0000	0x006cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006d0000	0x006d0000	0x00850fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000860000	0x00860000	0x01c5ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ce0000	0x01ce0000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d20000	0x01d20000	0x01d5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001db0000	0x01db0000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01df0000	0x020befff	Memory Mapped File	Readable	Region Actions
vssapi.dll	0x73b70000	0x73c85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73f80000	0x73f93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74bd0000	0x74bd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74be0000	0x74c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74c40000	0x74c7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x74c80000	0x74c8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74de0000	0x74e1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e20000	0x74e35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75000000	0x7500dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x751f0000	0x751fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75200000	0x7525ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75260000	0x753bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75660000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75750000	0x757defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76430000	0x7652ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x767d0000	0x7689bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x768a0000	0x768fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76900000	0x76982fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76a20000	0x76b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76c90000	0x76cd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76ce0000	0x76d8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76e20000	0x76eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76f00000	0x76f9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76fa0000	0x76fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77200000	0x7729ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000772a0000	0x772a0000	0x773befff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000773c0000	0x773c0000	0x774b9fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x774c0000	0x77668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77670000	0x77679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776a0000	0x7781ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #22: xzzx_cryptmix.vir.exe

(Host: 2490, Network: 0)

Information	Value
ID	#22
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:16, Reason: Autostart
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:03:05

OS Process Information

Information	Value
PID	0x544
Parent PID	0x45c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e620 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 548 0x 60C 0x 634 0x 640 0x 644 0x 690 0x 6AC 0x 6C4 0x 6DC 0x 6FC 0x 710 0x 718 0x 728 0x 734 0x 750 0x 760 0x 774 0x 780

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00200000	0x00200fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00291fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x002b0000	0x002b3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x002d0000	0x002edfff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x003f0000	0x00456fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000460000	0x00460000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004a0000	0x004a0000	0x004a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x01beffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001bf0000	0x01bf0000	0x01c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c70000	0x01c70000	0x01d4efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d50000	0x01d50000	0x01d50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001da0000	0x01da0000	0x01da0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01deffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001df0000	0x01df0000	0x021e2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021f0000	0x021f0000	0x022effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022f0000	0x022f0000	0x0232ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x02330000	0x0236bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000002330000	0x02330000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002370000	0x02370000	0x023affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023b0000	0x023b0000	0x023b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x02487fff	Private Memory	Readable, Writable, Executable	Region Actions
sortdefault.nls	0x02490000	0x0275efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002760000	0x02760000	0x0285ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002860000	0x02860000	0x0295ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x02a5ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02a60000	0x02b1ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002b20000	0x02b20000	0x02b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c60000	0x02c60000	0x02d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d60000	0x02d60000	0x02d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002da0000	0x02da0000	0x02e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ea0000	0x02ea0000	0x02f9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x02fdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fe0000	0x02fe0000	0x030dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030e0000	0x030e0000	0x030e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030f0000	0x030f0000	0x030f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003100000	0x03100000	0x03100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003110000	0x03110000	0x03110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003120000	0x03120000	0x03120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003130000	0x03130000	0x03130fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x03140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003150000	0x03150000	0x03150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003160000	0x03160000	0x03160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003170000	0x03170000	0x03170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003180000	0x03180000	0x03180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003190000	0x03190000	0x03190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031a0000	0x031a0000	0x031a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031b0000	0x031b0000	0x031b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031c0000	0x031c0000	0x031c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031d0000	0x031d0000	0x031d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031e0000	0x031e0000	0x031e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031f0000	0x031f0000	0x031f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003200000	0x03200000	0x03200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003210000	0x03210000	0x03210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003220000	0x03220000	0x03220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003230000	0x03230000	0x03230fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003240000	0x03240000	0x03240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003250000	0x03250000	0x03250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003260000	0x03260000	0x03260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003270000	0x03270000	0x03270fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003280000	0x03280000	0x03280fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003290000	0x03290000	0x03290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x032a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032b0000	0x032b0000	0x032b0fff	Private Memory	Readable, Writable	Region Actions
xzzx_cryptmix.vir.exe	0x55820000	0x5585bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x729a0000	0x729a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pdh.dll	0x729b0000	0x729ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x729f0000	0x72a73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x731a0000	0x731a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x731b0000	0x731c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x731f0000	0x7326ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73270000	0x7340dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73410000	0x73417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73420000	0x7347bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73480000	0x734befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74840000	0x74860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74870000	0x74964fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x74970000	0x7497dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74980000	0x749bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x749c0000	0x749d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x749f0000	0x749fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74a00000	0x74a5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74a60000	0x74abffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74ad0000	0x74b5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x74b90000	0x74c0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x74c10000	0x74c36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74c40000	0x74c85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x74c90000	0x74ca1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74cb0000	0x758f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75960000	0x759fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75a90000	0x75b12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75c50000	0x75cdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75ce0000	0x75deffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75df0000	0x75e46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75e50000	0x75eecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76030000	0x76074fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76280000	0x7632bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x764abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x765affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x766f0000	0x767bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x767c0000	0x767c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x767d0000	0x768bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x768c0000	0x76a5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076aa0000	0x76aa0000	0x76bbefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076bc0000	0x76bc0000	0x76cb9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76cc0000	0x76e68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76ea0000	0x7701ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 67 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x548

(Host: 2236, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:03:07 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 16380	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75cf4f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75cf1252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75cf4208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75cf359f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x75cf4a2d	1	Fn
Window	Set Attribute	index = 18446744073709551612, new_long = 0	1	Fn
COM	Create	interface = 00000112-0000-0000-C000-000000000046, cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Debug	Print	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, type = DEBUG_STRING, text = Class not registered	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Handle	module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xzzx_cryptmix.vir.exe, base_address = 0x55820000	1	Fn
Window	Create	window_name = Press, class_name = BUTTON, wndproc_parameter = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
For performance reasons, the remaining 427 entries are omitted. The remaining entries can be found in glog.xml.

Process #23: bce1010314.exe

(Host: 9634, Network: 0)

Information	Value
ID	#23
File Name	c:\programdata\bce1010314.exe
Command Line	"C:\ProgramData\BCE1010314.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:16, Reason: Autostart
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:03:05

OS Process Information

Information	Value
PID	0x54c
Parent PID	0x45c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e620 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 550 0x 5F8 0x 614 0x 660 0x 664 0x 68C 0x 6A8 0x 6B4 0x 6D4 0x 6E8 0x 70C 0x 724 0x 730 0x 74C 0x 75C 0x 770 0x 77C 0x 720 0x 7B4 0x 7C8 0x 7EC 0x 344 0x 798 0x 6A4 0x 780 0x 688 0x 60C 0x 634 0x 640 0x 690 0x 6AC 0x 6C4 0x 6DC 0x 6FC 0x 710 0x 718 0x 728 0x 734 0x 750 0x 760 0x 774 0x 548 0x 544 0x 540 0x 408 0x 79C 0x 340 0x 7A0 0x 6CC 0x 7F0 0x 318 0x 5C4 0x 610 0x 484 0x 65C 0x 608 0x 62C 0x 658 0x 694 0x 6B0 0x 6C8 0x 6E0 0x 700 0x 714 0x 71C 0x 72C 0x 764 0x 738 0x 754 0x 778 0x 784 0x 564 0x 560 0x 604 0x 420 0x 600 0x 5DC 0x 5F4 0x 5FC 0x 5D8 0x 5D4 0x 64 0x 594 0x 5CC 0x 804 0x 808 0x 80C 0x 810 0x 814 0x 81C 0x 824 0x 828 0x 82C 0x 830 0x 834 0x 838 0x 83C 0x 840 0x 844 0x 848 0x 84C 0x 850 0x 854 0x 858 0x 85C 0x 860 0x 864 0x 868 0x 86C 0x 870 0x 874 0x 878 0x 880 0x 884 0x 888 0x 88C 0x 894 0x 898 0x 89C 0x 8A0 0x 8A4 0x 8A8 0x 8AC 0x 8B0 0x 8B4 0x 8B8 0x 8BC 0x 8C0 0x 8C4 0x 8C8 0x 8CC 0x 8D0 0x 8D4 0x 8D8 0x 8DC 0x 8E0 0x 8E4 0x 8E8 0x 8EC 0x 8F0 0x 8F4 0x 8F8 0x 8FC 0x 900 0x 904 0x 908 0x 90C 0x 910 0x 914 0x 918 0x 91C 0x 928 0x 92C 0x 930 0x 934 0x 938 0x 93C 0x 940 0x 944 0x 948 0x 94C 0x 950 0x 954 0x 958 0x 95C 0x 960 0x 964 0x 968 0x 96C 0x 970 0x 974 0x 978 0x 97C 0x 980 0x 984 0x 988 0x 98C 0x 990 0x 994 0x 998 0x 99C 0x 9A0 0x 9A4 0x 9A8 0x 9AC 0x 9B0 0x 9B4 0x 9B8 0x 9BC 0x 9C0 0x 9C4 0x 9C8 0x 9CC 0x 9D4 0x 9D8 0x 9DC 0x 9E0 0x 9E4 0x 9E8 0x 9EC 0x 9F0 0x 9FC 0x A0C 0x A14 0x A24 0x A30 0x A44 0x A48 0x A4C 0x A50 0x A54 0x A58 0x A5C 0x A60 0x A64 0x A68 0x A6C 0x A70 0x A74 0x A78 0x A7C 0x A80 0x A84 0x A88 0x A8C 0x A90 0x A94 0x A98 0x A9C 0x AA0 0x AA4 0x AB0 0x AB4 0x AB8 0x ABC 0x AC0 0x AC4 0x AC8 0x ACC 0x AD0 0x AD4 0x AD8 0x ADC 0x AE0 0x AE4 0x AE8 0x AEC 0x AF0 0x AF4 0x AF8 0x AFC 0x B00 0x B04 0x B08 0x B10 0x B14 0x B18 0x B1C 0x B20 0x B24 0x B28 0x B2C 0x B30 0x B38 0x B3C 0x B40 0x B44 0x B48 0x B4C 0x B50 0x B54 0x B58 0x B5C 0x B60 0x B64 0x B68 0x B6C 0x B70 0x B74 0x B78 0x B7C 0x B80 0x B84 0x B88 0x B8C 0x B90 0x B94 0x B98 0x BA8 0x BAC 0x BB0 0x BB4 0x BB8 0x BBC 0x BC0 0x BC4 0x BC8 0x BCC 0x BD0 0x BD4 0x BD8 0x BDC 0x BE0 0x BE4 0x BE8 0x BEC 0x BF0 0x BF4 0x BF8 0x BFC 0x 328 0x 404 0x 448 0x 7F4 0x 444 0x 890 0x A10 0x A34 0x A40 0x B0C 0x 2CC 0x 118 0x 1C8 0x 210 0x 124 0x C0 0x C4 0x 90 0x 500 0x 5A4 0x 58C 0x 920 0x 924 0x 6F4 0x 588 0x 684 0x 34C 0x 638 0x 744 0x 68C 0x 3BC 0x 740 0x 3CC 0x 6D8 0x 724 0x 660 0x 70C 0x 6A8 0x 77C 0x 6E8 0x 74C 0x 730 0x 614 0x 6D4 0x 6B4 0x 474 0x 23C 0x 53C 0x 4E8 0x 22C 0x 6EC 0x 254 0x 228 0x 618 0x 4F0 0x 758 0x 314 0x 6F8 0x 790 0x 348 0x 51C 0x 36C 0x 2B4 0x 57C 0x 6A0 0x 214 0x 364 0x 368 0x 678 0x 158 0x 320 0x 570 0x 67C 0x 598 0x 424 0x 138 0x 584 0x 440 0x 59C 0x 5D0 0x 528 0x 578 0x 24C 0x 398 0x 248 0x A3C 0x A2C 0x 180 0x A20 0x A28 0x 1D4 0x 818 0x 820 0x C08 0x C0C 0x C10 0x C14 0x C18 0x C1C 0x C20 0x C24 0x C28 0x C2C 0x C30 0x C34 0x C38 0x C40 0x C44 0x C48 0x C4C 0x C50 0x C54 0x C58 0x C5C 0x C60 0x C64 0x C68 0x C6C 0x C70 0x C74 0x C78 0x C7C 0x C80 0x C84 0x C88 0x C8C 0x C90 0x C94 0x C98 0x C9C 0x CA0 0x CA4 0x CA8 0x CAC 0x CB0 0x CB4 0x CB8 0x CBC 0x CC0 0x CC4 0x CC8 0x CCC 0x CD0 0x CD4 0x CD8 0x CDC 0x CE0 0x CE4 0x CE8 0x D3C 0x D4C 0x D50 0x D54 0x D58 0x D5C 0x D60 0x D68 0x D6C 0x D94 0x D9C 0x DA0 0x DA4 0x DA8 0x DB0 0x DB4 0x DB8 0x DBC 0x DC0 0x DC4 0x DC8 0x DCC 0x DD0 0x DD4 0x DD8 0x DDC 0x DE0 0x DE4 0x DE8 0x DEC 0x DF0 0x DF4 0x DFC 0x E00 0x E04 0x E08 0x E0C 0x E10 0x E14 0x E18 0x E1C 0x E20 0x E24 0x E28 0x E2C 0x E30 0x E38 0x E3C 0x E40 0x E44 0x E48 0x E4C 0x E50 0x E54 0x E58 0x E5C 0x E60 0x E64 0x E68 0x E6C 0x E70 0x E74 0x E78 0x E7C 0x E80 0x E84 0x E88 0x E8C 0x E90 0x E94 0x E98 0x EA0 0x EA4 0x EA8 0x EAC 0x EB0 0x EB4 0x EB8 0x EBC 0x EC0 0x EC4 0x EC8 0x ECC 0x ED0 0x ED4 0x ED8 0x EDC 0x EE0 0x EE4 0x EE8 0x EEC 0x EF0 0x EF4 0x EF8 0x EFC 0x F00 0x F04 0x F08 0x F0C 0x F10 0x F14 0x F18 0x F1C 0x F20 0x F24 0x F28 0x F2C 0x F30 0x F34 0x F38 0x F3C 0x F40 0x F44 0x F48 0x F4C 0x F50 0x F54 0x F58 0x F5C 0x F60 0x F64 0x F68 0x F6C 0x F70 0x F74 0x F78 0x F7C 0x F80 0x F84 0x F88 0x F8C 0x F90 0x F94 0x F98 0x F9C 0x FA0 0x FA4 0x FA8 0x FAC 0x FB0 0x FB4 0x FB8 0x FBC 0x FC0 0x FC4 0x FC8 0x FCC 0x FD0 0x FD4 0x FD8 0x FDC 0x FE0 0x FE4 0x FE8 0x FEC 0x 102C 0x 1038 0x 1040 0x 1044 0x 1048 0x 104C 0x 1050 0x 1054 0x 107C 0x 1080 0x 1084 0x 1088 0x 108C 0x 1090 0x 1094 0x 1098 0x 109C 0x 10A0 0x 10A4 0x 10A8 0x 10AC 0x 10B0 0x 10B4 0x 10B8 0x 10BC 0x 10C0 0x 10C4 0x 10C8 0x 10CC 0x 10D0 0x 10D4 0x 10D8 0x 10DC 0x 10E0 0x 10E4 0x 10E8 0x 10EC 0x 10F0 0x 10F4 0x 10F8 0x 1100 0x 1104 0x 1108 0x 110C 0x 1110 0x 1114 0x 1118 0x 111C 0x 1120 0x 1124 0x 1128 0x 112C 0x 1130 0x 1134 0x 1138 0x 113C 0x 1140 0x 1144 0x 1148 0x 114C 0x 1150 0x 1154 0x 1158 0x 115C 0x 1160 0x 1164 0x 1168 0x 116C 0x 1170 0x 1174 0x 1178 0x 117C 0x 1180 0x 1184 0x 1188 0x 118C 0x 1190 0x 1194 0x 1198 0x 119C 0x 11A0 0x 11A4 0x 11A8 0x 11AC 0x 11B0 0x 11B4 0x 11B8 0x 11BC 0x 11C0 0x 11C4 0x 11C8 0x 11CC 0x 11D0 0x 11D4 0x 11D8 0x 11DC 0x 11E0 0x 11E4 0x 11E8 0x 11EC 0x 11F0 0x 11F4 0x 11F8 0x 11FC 0x 1200 0x 1204 0x 1208 0x 120C 0x 1210 0x 1214 0x 1218 0x 121C 0x 1220 0x 1224 0x 1228 0x 122C 0x 1230 0x 1234 0x 1238 0x 123C 0x 1240 0x 1244 0x 1248 0x 124C 0x 1250 0x 1254 0x 1258 0x 125C 0x 1260 0x 1264 0x 1268 0x 126C 0x 1270 0x 1274 0x 1278 0x 127C 0x 1280 0x 1284 0x 1288 0x 1290 0x 1298 0x 129C 0x 12A0 0x 12A4 0x 12A8 0x 12AC 0x 12B0 0x 12B4 0x 12B8 0x 12BC 0x 12C0 0x 12C4 0x 12C8 0x 12CC 0x 12D0 0x 12D4 0x 12D8 0x 12DC 0x 12E0 0x 12E4 0x 12E8 0x 12EC 0x 12F0 0x 12F4 0x 12F8 0x 12FC 0x 1300 0x 1304 0x 1308 0x 130C 0x 1310 0x 1314 0x 1318 0x 131C 0x 1320 0x 1324 0x 1328 0x 132C 0x 1330 0x 1334 0x 1338 0x 133C 0x 1340 0x 1344 0x 1348 0x 134C 0x 1350 0x 1354 0x 1358 0x 135C 0x 1360 0x 1364 0x 1368 0x 136C 0x 1370 0x 1374 0x 1378 0x 137C 0x 1380 0x 1384 0x 1388 0x 138C 0x 1390 0x 1394 0x 1398 0x 139C 0x 13A0 0x 13A4 0x 13A8 0x 13AC 0x 13B0 0x 13B4 0x 13B8 0x 13BC 0x 13C0 0x 13C4 0x 13C8 0x 13CC 0x 13D4 0x 13D8 0x 13DC 0x 13E0 0x 13E4 0x 13E8 0x 13EC 0x 13F0 0x 13F4 0x 13F8 0x 13FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00240fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x00351fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00360000	0x00360fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x00360fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00601fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00610fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000630000	0x00630000	0x007b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x01bbffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01c10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c60000	0x01c60000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01ca0000	0x01cdbfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x01ca0000	0x01cdbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001ca0000	0x01ca0000	0x01cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ce0000	0x01ce0000	0x01ce0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cf0000	0x01cf0000	0x01cf0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01d0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001d10000	0x01d10000	0x01deefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x01e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e70000	0x01e70000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01ec0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01ed0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01ee0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ef0000	0x01ef0000	0x01ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f40000	0x01f40000	0x02332fff	Pagefile Backed Memory	Readable	Region Actions
kernelbase.dll.mui	0x02340000	0x023fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002400000	0x02400000	0x02400fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x024d7fff	Private Memory	Readable, Writable, Executable	Region Actions
sortdefault.nls	0x024e0000	0x027aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000027b0000	0x027b0000	0x028affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028b0000	0x028b0000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ab0000	0x02ab0000	0x02baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002db0000	0x02db0000	0x02eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002eb0000	0x02eb0000	0x02eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ef0000	0x02ef0000	0x02feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ff0000	0x02ff0000	0x02ff0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003000000	0x03000000	0x03000fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003010000	0x03010000	0x03010fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003020000	0x03020000	0x03020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003030000	0x03030000	0x03030fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003040000	0x03040000	0x03040fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003050000	0x03050000	0x03050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003060000	0x03060000	0x03060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003070000	0x03070000	0x03070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003080000	0x03080000	0x03080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003090000	0x03090000	0x03090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030a0000	0x030a0000	0x030a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030b0000	0x030b0000	0x030b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030c0000	0x030c0000	0x030c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030d0000	0x030d0000	0x030d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030e0000	0x030e0000	0x030e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030f0000	0x030f0000	0x030f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003100000	0x03100000	0x03100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003110000	0x03110000	0x03110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003120000	0x03120000	0x03120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003130000	0x03130000	0x03130fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x03140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003150000	0x03150000	0x03150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003160000	0x03160000	0x03160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003170000	0x03170000	0x03170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003180000	0x03180000	0x03180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003190000	0x03190000	0x03190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031a0000	0x031a0000	0x031a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031b0000	0x031b0000	0x031b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031c0000	0x031c0000	0x031c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000031d0000	0x031d0000	0x031d0fff	Private Memory	Readable, Writable	Region Actions
bce1010314.exe	0x55820000	0x5585bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x729a0000	0x729a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pdh.dll	0x729b0000	0x729ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x729f0000	0x72a73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x731a0000	0x731a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x731b0000	0x731c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x731f0000	0x7326ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73270000	0x7340dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73410000	0x73417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73420000	0x7347bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73480000	0x734befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x74970000	0x7497dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74980000	0x749bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x749c0000	0x749d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x749f0000	0x749fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74a00000	0x74a5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74a60000	0x74abffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74ad0000	0x74b5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x74b90000	0x74c0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x74c10000	0x74c36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74c40000	0x74c85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x74c90000	0x74ca1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74cb0000	0x758f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75960000	0x759fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75a90000	0x75b12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75c50000	0x75cdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75ce0000	0x75deffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75df0000	0x75e46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75e50000	0x75eecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76280000	0x7632bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x764abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x765affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x766f0000	0x767bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x767c0000	0x767c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x767d0000	0x768bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x768c0000	0x76a5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076aa0000	0x76aa0000	0x76bbefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076bc0000	0x76bc0000	0x76cb9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76cc0000	0x76e68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76ea0000	0x7701ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 166 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\network shortcuts\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\printer shortcuts\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\recent\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\saved games\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\searches\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\sendto\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\templates\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\o903hcw\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\xarijr5atdl\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\wpc5n64xvm\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\documents\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\music\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\pictures\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\videos\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\downloads\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\favorites\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\libraries\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\music\sample music\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\recorded tv\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\public\recorded tv\sample media\_help_instruction.txt	0.69 KB (708 bytes)	MD5: 99b4288995857301d312d28c2291153d SHA1: f769bff21786fd74b5657c5cee846df22a62061d SHA256: deb8d2fa204f74abc411a4db8b0f02a3b1a655c6185f077f016a8866752a17ff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\dae2cc280af9f39884d63acc0f1ad7e0.xzzx	0.18 KB (183 bytes)	MD5: b2039def62d30e627c9b07fafd0673f0 SHA1: bca033c20eed042b2664a66a20b995f565cd1f3c SHA256: 7ce75bcfdf2deb2417f0d59e7cf10a04b240c6ebdec5cc8badef61ca508977ea	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\links\323285543e8b2cb8c06cf7b742ac1100.xzzx	0.64 KB (651 bytes)	MD5: 62b16e19c99fd8243826e8e98950e495 SHA1: d24985d4dc1fe659fb3dc15f9ce3c9d86a4491ad SHA256: 3d00cfde4b15dae436ce931573a8398c72eaac95a130b7120fb34d3257108a9a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\c1c4370f268a7d85910c485d2aab61cd.xzzx	21.99 KB (22519 bytes)	MD5: 240b43be25efe63e1f408e37d9696c6b SHA1: e0879ba8aa9a93bd697709922114e7801168ff0a SHA256: 2394a06d954932dfbc71dd95fadf5e3304bd14a5def37c4f7fd2edcd0304ba16	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\2addd7ce37de6c473adf3b8e3bff508f.xzzx	45.39 KB (46477 bytes)	MD5: e39b41849bdd0332d45672be272b4620 SHA1: 6b5b1ae1dcd0bba156462139fb9a264822a74186 SHA256: ec4f62854d65ee70c596b1cf7843fe4324605a901cdb68980fd084a3d205ec49	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\d02310330d7f24f9ea0895e311a00941.xzzx	89.10 KB (91242 bytes)	MD5: f50774acf57afae5e71525f52faaeb25 SHA1: 1853ed29d85cd3a68e6a55bca6c94ae1b87678c9 SHA256: f09d7ebfab87b1f5b605a4ab9cab0772d90be17aced00706ea51b8b8bc94a019	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\83899d5a26f059de25e7413f2b253e26.xzzx	30.54 KB (31274 bytes)	MD5: d10c818bb4d914da6dfdfea0bb01a7e6 SHA1: 9d5c9a5c469896835b553f2e3bef0e954a977a68 SHA256: f9db39316db6031438344e25561408333082fa2dc2a8967577f745d83ac3ae51	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\b7d698fe122efca3a766339e164fe0eb.xzzx	53.02 KB (54294 bytes)	MD5: bfa30e76fa7ddeac54bfaa4a1eb07dd6 SHA1: beddbe78af3e6370a6a59809b11242aaab0dcd92 SHA256: cd1ac8c8c3478f065dfd69c339a4810f66ad589849aa7ecef21d4761d926a755	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\ba853e823c01028a03c2dabb4021e6d2.xzzx	64.24 KB (65783 bytes)	MD5: 1a18f83d1a07042faae27ec212004fc7 SHA1: 7dab36dea57ef6d29a6dc1ff3cc283ba344abe80 SHA256: 5439703f2daa9c3d6e5b315f66b658df61e9779b172db5fffc8dbe7ce95c9987	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\ed39cab90ce3c63a3eaea7271104aa82.xzzx	96.08 KB (98387 bytes)	MD5: 18c9e588a3fcda5adb0f02ce418b91d0 SHA1: e403e5b94824bc2d324dc41789b394fd6457d114 SHA256: aa9262096177d24e6baac670a55493445557dc4111b074866193390946a7836b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\64527b001382d7bf4d0a170017b7bc07.xzzx	69.41 KB (71080 bytes)	MD5: cdf7e813a81aa2b0444d0c9c98e29582 SHA1: 52aa49e6b317a4de2e5d00fd15303dff3598ef85 SHA256: 09e5b647e4f6278febdaa8cd3fdd2ee3548729c3600842c050f1667041bd9437	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\3c85a2c827b882d0ac42f6272bd96718.xzzx	36.73 KB (37612 bytes)	MD5: c65a17cd098714e19d51cfc5ecdb1023 SHA1: 2974c0d5c602f3085a5d183f0ea7ce9b2219005f SHA256: 8eccb912de0bfb6be7171414cfec242e12e832ff858a84ea9d3d02e6020a4cff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\c3e4f2c10c4d8eea8ebc635b106e7332.xzzx	35.94 KB (36804 bytes)	MD5: 6f57c4a8651b73f8ebd30047c283e841 SHA1: fc01112eba47c1116ef298bf4311b05e72e69a30 SHA256: 3006c3eb7f514eb96d3f0af5780da1ec33aff5a95665e8da1b65b8d74ba6a330	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\663067de2a526aca340de0352e734f12.xzzx	36.19 KB (37059 bytes)	MD5: a3938aa865947f87071a2eb0677336fe SHA1: 062d9cfbbd8011c45499117c2f484459b1d061b5 SHA256: 1d589a287e67b3da350ad7f0f45e664ea02f4f539ec0ebab8faf40ecd2d31494	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\b7fe604f2a0f001fc8bf560f2e43e467.xzzx	13.18 KB (13497 bytes)	MD5: c4512fa0fd838f4c472e21203165bba4 SHA1: 0e05d042c12507ea595ebb0a63ed35e89b1925c8 SHA256: 4ce63ed0b14ed548f7f6c45b349981e8f7ecafb4af35038c13fd39be48f38367	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\38dc595e3788a5ba7503b1493ba98a02.xzzx	4.61 KB (4719 bytes)	MD5: cbeaf2ca1e75915b0d8527205c9d9a6d SHA1: 2f386acd47075707a2c9129e4e9dc14f14dc0942 SHA256: 2276d1562d166c8e9fb40b2ddf89f0b675a9ff3380f3cf4ec2ed570b6585ab4a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\6fb07fde0cb60f86500f11cf10d6f3ce.xzzx	85.12 KB (87162 bytes)	MD5: 6d0125605db26c4e0f8b95565d282869 SHA1: 133ec771ec03ab6d7d73039459dc118072665dc4 SHA256: f0ba3377a43ef0ad0b430587b05582891eea0379aefbbcd809ed818664008a9a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\06c3ecfb13862898aa23710517bb0ce0.xzzx	73.42 KB (75181 bytes)	MD5: a36bd7e43f7d725d97ff2456834a9002 SHA1: 87ffdf43d477a7b25a9bd0bc96d30d4445a59af3 SHA256: e9bf64a113c0da4269edc2323350071751316b8835f02d2b38a2f63b5a3a3aab	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\3006c810075ed0f01f3de7c50b7fb538.xzzx	71.45 KB (73160 bytes)	MD5: 32703d94c8004f5af95a05a2bf73eaec SHA1: 4566c17688b08cc14c7af469ff070345324491f9 SHA256: 61984fdcb91c76f9757601b8d417185e1f2ebd7e7de2895314f3dda6b774a6dd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\fa78694804c1e3566fc4cb7c08f6c79e.xzzx	11.71 KB (11989 bytes)	MD5: 61b4780ddb4cef52674aa59048ed79cf SHA1: 83bd1949721e63db95db45e0e84018dd6c7a63eb SHA256: 8a00c4f976df1de2adbd90e8a22f129104a2ed9f57ce7c5a041b19990de38d4e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\b02b14800a31a4c0c9dc8d360e528908.xzzx	24.21 KB (24789 bytes)	MD5: e6c9ccec10faa0d8161da037781654a7 SHA1: 3ca595c29dbd209784461141b7d7bfc7c8d0d05d SHA256: f45bdff37bbb68fc1df62adb356a7a9f0651505f8108e2aa567cff8b01c757f5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\8f1540b007ab3ef89a8099c80bcc2340.xzzx	84.31 KB (86336 bytes)	MD5: dac37b92f3b350f6db4cc8c5aef96ae1 SHA1: a36a2369aaef5b4e9613c09c1335bcf38a691b25 SHA256: 8c4626f55191efe770b12f08ffe6351d11a0e2a374b3a073ce099cf3294f0e60	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\b1210aaa2257fea8b6b1d3dd268ce2f0.xzzx	68.41 KB (70050 bytes)	MD5: 6fd0bc69ddcf19fc5c6254f0d7d6fc04 SHA1: c661ead23f9a7430689fadfea23026ec8595da0d SHA256: 3e34bb38bea675be765d4d16174213990815f791bda2fd93b4d784149d72d019	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\music\auosv3m 9vtnbjukze\9y_m-ovb2iyyx\dqopm\04bba0d020119813f8f6e49024327c5b.xzzx	42.73 KB (43757 bytes)	MD5: a38e7e31386a89fd376cbca7680d20b2 SHA1: d22a5c6e2dfdacfa2fff49fe49e44076742de1e3 SHA256: 5088feebe02e08624518f48f079075aea5da9d5a7b91caf6e8afb07eef606342	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7ec795ed37af1a88a52703f73bcffed0.xzzx	36.34 KB (37217 bytes)	MD5: 7b4304e41f7e2c553114742cb9d2bffa SHA1: 5b0edfe55cbd86e40076750b0361601d2a41f4e5 SHA256: 457c4ad3baf404b6283865e698490dfe8ff2758f4fd86a8c444f262f4b78b638	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\c30cf4f82e58715357484b18328d559b.xzzx	43.68 KB (44731 bytes)	MD5: 81659e6d8a4d3f09a39929e30aa360db SHA1: ef1a0dbe148270a9fc697f4f3891aa391b181041 SHA256: 06a01b93de3a8dcee6931d6fa3a7366938f9add6be9c7cc2104001e1329efe9e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7030d20732fb05ae512c0edb3744e9f6.xzzx	39.58 KB (40531 bytes)	MD5: 1cbd402274df267452bfa274914c6080 SHA1: dc2b4e6e4a8c0fe07c3fc99f5e7740087c7c2d10 SHA256: 13d6c9a2cef91b9152e03494dd9c96f7d61db20e3481f14a0b711a1a78b5519c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\2187c5602f1adaf08d4383d0333bbf38.xzzx	98.83 KB (101203 bytes)	MD5: cd06bb370021c00c6350b7c7eb47261d SHA1: 980220a4cd8e02421027fef530def248157b6ef1 SHA256: 87eed63d5aecb471b4c10378e295b09c1c8b35337a7cf93730a48f44991db1d4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\3a2295cd2f8cd2df95e7618733c2b727.xzzx	72.63 KB (74372 bytes)	MD5: ad680a42bc85a04ed95419664b71014c SHA1: 72c41275051c06e888584d8331a850c106b8d3b5 SHA256: 9de74e25397160af6023ca1c02a2cc635a31a78be11a220c0e5a61f1aca943ca	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\8f82071c3e6aa36071d28504428b87a8.xzzx	65.83 KB (67408 bytes)	MD5: 34e27579b67f2c60e3489b22f44e591c SHA1: 7a58a71298700908b61c94559e20e00e497be127 SHA256: ac7ee8bd496dbbeaceab4f13c0474455b5112ddf3b11b3174e17e22dfe0bc0e9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\c87868381959cc9c63dbf2ec1d8eb0e4.xzzx	31.65 KB (32405 bytes)	MD5: 01ffabd8a351dd16efd5a36e839bd2cb SHA1: 926b2738a05aff1e072012083cf4f38029dbd853 SHA256: 9bd9fa41c4c7088c3a63fe232a2c3af0df9238c54c49c158b005c564eb632e59	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\567fb4290f0a7ce338c9770b132b612b.xzzx	44.50 KB (45566 bytes)	MD5: b634e56d85233b3068a1cda8d98b5ba0 SHA1: 06edf4db53b5e6070e80d887955502ac151ce838 SHA256: dd608bf2ba28d95f65b04a4f7a03b27636e92c4c574970ae4dc1b36869bb3e24	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\6c73d824191052a8389547c51d5a36f0.xzzx	8.44 KB (8641 bytes)	MD5: 68d2b9d24a7a4eece3b3da3ef613eb0c SHA1: 38c5bbea7d562bae9d38d8d7e42a5788983f02f7 SHA256: bfccc4844078e6ed7b7365c2e475a1956e88fc8d3ead5836b3e9daf8a2fb550a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7e711d900e3b4440af6b05f612702888.xzzx	90.40 KB (92567 bytes)	MD5: 23569ac415954190531f5ecef2910c70 SHA1: ac7e7d4002833e90535056812b3a0b3493c7b2fd SHA256: f2f0de02936d58418af02f1aaf9e73fc4fd54cb7c27fda4716412589e3875f7c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\6d777c541da727448f863c8e21c80b8c.xzzx	9.54 KB (9773 bytes)	MD5: e551e7fa4a29fa1bdd5004f5080eba92 SHA1: dba645106b2f139ca8882dd28d017118ffda5ba6 SHA256: db8cf6f94f8591c38359eceb41968552dd73ee6f12e4aff3fb241a87ab9ea5dd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\f9ecb5d32975dbfcfcc9e4d92dbfc044.xzzx	0.65 KB (669 bytes)	MD5: 9d724294c450865e4b5f6082b36e91eb SHA1: d90cc4e71ce9ef932f14392880b993f95454235e SHA256: 0cde438fabd02956bfe73b426c4d77fd405556dfdfd29eda2d20a4e2a439c27b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\c22d6d6701d063bff430045506304807.xzzx	19.24 KB (19700 bytes)	MD5: d64ec1513e3a2028b1bd26c5982f823d SHA1: 4b9c1942066e6549c42c3c6f9232ad87c96ca7a8 SHA256: b484d77c382d22ec691ac430d5e130ae1cb374fef7b430060448d16a06c987c9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\6274bc861b7171923c3788ab1f9255da.xzzx	22.50 KB (23042 bytes)	MD5: 5c19c1cc897e424c8d26e9f929199572 SHA1: e5a9135494ec038a06a32c413329907dc65c3382 SHA256: becf1a665ce6667bc382264438668236dcf4b89b3ad4c7697ddbe0c31e102c7b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\8facb48c4470f6be344be4a448a5db06.xzzx	49.38 KB (50569 bytes)	MD5: 04e263bd7644ed1d15968583f0c85d80 SHA1: 1f8b5ae02f12265019ac3b54d457b53ce2399c7d SHA256: aaa15e7c186db31370e8d30bfc45566c632a9d396084c006fa1693558730e2e5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\90eab1ce03d6a9ccf759aee907f78e14.xzzx	30.44 KB (31169 bytes)	MD5: 9185e6da04755916803253af9610bcc3 SHA1: 001357c52d1031bd6d3a6764e82fa8a01c0a3413 SHA256: 9c10e1ff51cad7520207b56e7392eae65aef9f9c91d9674653a9b7d121e05097	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7852c7a011e028ad2e2e29a016150cf5.xzzx	45.91 KB (47013 bytes)	MD5: 51690523a617ebe50ac0a1883185c57e SHA1: 1be85c36b261c66588c7cd4a8462979ca6bbdf37 SHA256: f33574b0a57e60334e77e4105ea8a9808f3a7298b8ce7a4d223e83d96bcf4b93	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\d59aafc73ffff3fe126a516d4420d846.xzzx	26.96 KB (27604 bytes)	MD5: bf885c283aac8029907978a700d28c6d SHA1: 487c094ed491ff83d6513f93c508b37cdab2cfb4 SHA256: 647a0708d0862aaa1422ad1cb3d79dc1d3539e2310b3e6e4af3ffbd01fc719b4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\5c36794d2643414f2fe671172a8d2597.xzzx	2.59 KB (2655 bytes)	MD5: 7596663e80c5c9caea6114ca6f82068b SHA1: 222a54675be37b3952fb6343f9f96f734fb84759 SHA256: 8856bcb31fef06c8d5f0cd65c9ffb1e9c99808f31bf17f9b15c86c48e85bb8f4	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\6e0684500109fc98cfd71110053fe0e0.xzzx	20.11 KB (20592 bytes)	MD5: f2f8598ed19d8f6d7fc95002641794f5 SHA1: 93c6016547de3971c69bf0827a61754ad150360a SHA256: cd6441fa7fa8603b5b04f3c7715b5f7da02ce2e9e49e519aa1c08b2dfcceed22	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\a74bc39b153f2e46bb66a40d1960128e.xzzx	82.79 KB (84781 bytes)	MD5: 295545ec293b2fda16e3532d4e5dbe1d SHA1: eb1ab5fdb1b57ada98f0dc5c0bfa16998cfdee86 SHA256: b9999e05d1c62715c8230afe78c1845d4d8b35d395dcda7ad6090de58ea6d529	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\d2fbb85013e759fe97cf4af0181d3e46.xzzx	45.84 KB (46942 bytes)	MD5: 0c38c9a7fa7be8d26f81566a8f49fb83 SHA1: 5b7f9e7513c1878e0734ab581a93b59409b3313f SHA256: f337839d26055f6071b1f33341ce3ad192049d9771e48b99ad0e6a517cc090f2	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7f23998a1acab3e49f720f0b1eeb982c.xzzx	57.81 KB (59197 bytes)	MD5: 38b610a8b62b51bc570cc460507f97c2 SHA1: 426f92a56a43e23d355476db00beca67ee96fae5 SHA256: 49d72edd3a575011df385e021ec156f4ca56580d137c8413d8fcc2e41d94899e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\bd094ff047045ccab6a2a1584b394112.xzzx	32.79 KB (33577 bytes)	MD5: 7d07ad934a01caaf679134e102069a75 SHA1: e77f58c9a18ce67bf7a1843ce66e9acf8082cf5e SHA256: 79b0b4db9243ff92bcb37125e93b3c9fb10546425b50b5fc6bdf5836e8644aae	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\d5d72cd040472a6053677ef544680ea8.xzzx	92.25 KB (94467 bytes)	MD5: 07f3876b0b1fbbe40adf1c279dc9d611 SHA1: 1fa232b83b52736fb8f0655a92e924576572ed9e SHA256: caa63ac3eba72349a04935f69572ae048bdc7a61171c8d00288379d2d0710a3f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\615936dc32228b708230065136576fb8.xzzx	67.52 KB (69136 bytes)	MD5: 47fec316311c6319a6a865ccb3db82d1 SHA1: 18e7b70dd556d8f3f830a72cbfe12674811a8729 SHA256: 97d8dc83ea6f1d5830c5eea46050f636ce3e16ed0134cef66d8a99aa4b7c166c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\4ec1b3383cf01eb849835ef241110300.xzzx	47.10 KB (48229 bytes)	MD5: 2ed84588e41a15610ab30ebdf40620cc SHA1: cba62e16407081ed8d2c01926e6ac8a579061523 SHA256: 8d30a102ab82571d2d1fe19eb65efca02a98ae70e12db01f66c60a44934d9e38	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\7abc26d22c977f5cf918eabe30b863a4.xzzx	2.68 KB (2746 bytes)	MD5: 10c3b07487b5dfbd82efe187860a7741 SHA1: 8fb29a952586d6eda7a5a79cab386d6d0c4170b4 SHA256: f736167e5e548766d8f0c9992e6acefecad6f1b41ebd3bed7e412a041dcdc308	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\f28bd0f0084d975830f3b58e0c6e7ba0.xzzx	9.36 KB (9588 bytes)	MD5: f36474c4ab4ff1cb0bd644b916ad9ac5 SHA1: 950eb98385e5b0b938ebdb425e3a6b635cf9f624 SHA256: 27781736d3003bf288ce12428a9a1e21611f0ff90c2b63b24da1c60ab6a904b9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\fbb049370c08d85d799956bd1029bca5.xzzx	30.68 KB (31418 bytes)	MD5: 094a2359ac86447e5f3db13cfe91b51f SHA1: 7121d4e07e22a12ea72f8a3c784ba1f01e0f2369 SHA256: 49bcc5d7767d0e60e148a7a3fa05212ecbb17b51de01967991693ea9eb8d2c0c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\609d61282fed0ee4afd8291a340df32c.xzzx	98.42 KB (100781 bytes)	MD5: bbebf0b211b75de09879f9ae3e3acd39 SHA1: 9a4d6802c563f1992b59c1dd035e49408037f24d SHA256: 6d10c6f0542156494f43db2922ba5c6e38af60f2ef68441b49466d7267397965	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\1698fa38038eb2cd51213bc807c39715.xzzx	25.62 KB (26239 bytes)	MD5: 6d5c61fa21ddd8399443b98631828511 SHA1: 9232e944a0cfaff9e8a0c670a84433ac86b65ed8 SHA256: ffc33222f6669f600580db1d74967e9929dcb4e32bed6d28c954da9f942b6a45	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\d3d882303025b5406f9968d234469988.xzzx	50.87 KB (52095 bytes)	MD5: aab06430aaf92867712437fdee4506bb SHA1: 9ea76e1e7e4fdfe00dc318bbb78a29fa88ffa2c5 SHA256: b65cae3ef734966c27e94a37248256f1352a71e52273b3f8d2a5c9452500bd89	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\1971d3bf09924c93cb17194f0dc730db.xzzx	59.17 KB (60587 bytes)	MD5: 541425fd978c554404f50b61e819aec4 SHA1: 642bbb34c26f1df2efcb7eb0f94015767d53b57a SHA256: 7a12c18b3f1d15faf8512ad4749161b30d057d78b249614808b87e1597e55079	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\c355f5402bedf72e504955a0300edb76.xzzx	55.42 KB (56754 bytes)	MD5: 55c3104f2dd7291cacbd39a453be9d02 SHA1: 0b137d47f5f53e9c90990ffb73a10f0cd373dc1a SHA256: 34be4d446d835c46646f9b97dbe57e20095fb16c9761e2791928b542ed82715d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\pictures\693610ce0e824d54f2368b0112b7319c.xzzx	46.51 KB (47624 bytes)	MD5: d3d6c4268c594e08cc24f032bb9c4d26 SHA1: a65104672fb95244bdbd1e9ecbdb786cde463b4c SHA256: ef722d1a887c8801eb2b2602eafcaf50d60690fd142006771476c31b8d069ec3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\saved games\c8d828ef44c6b909469a8e7948e79d51.xzzx	0.44 KB (447 bytes)	MD5: 1fc933c6c389660d5379e070f8e6479b SHA1: 8a6d154f41e3aadfa51b578cb127097b26ba4308 SHA256: 1fda7167364df89482ee04ec4ab6a3eff60c71f0e89011b820cc18e9a2390631	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\searches\07542892440c59ca51177af248413e12.xzzx	0.67 KB (689 bytes)	MD5: 810a35c7716525d6ded92f9bee85a404 SHA1: 6f7f1dc14cbdd737031f33aa240c37558733533d SHA256: a3006d1913f64cce51f93db711c8451d047a79ea8b6c98546159b2fd2f89840a	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\searches\22be9d582e5129d8aa7ce5bc32720e20.xzzx	0.42 KB (431 bytes)	MD5: 96c1f62a37267d6c30d888e6a31055fd SHA1: a9a5757c693fa3a5bfb9bfc47b3bed251592e17b SHA256: 761681e06985095d7d8b1a8b183dc0621bd21115ebdb601e1ed48587334ce431	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\searches\86a958f52ba3fcf7083cb8732fd8e13f.xzzx	0.43 KB (445 bytes)	MD5: e2698baef276ddc3acfbfd1d25b89166 SHA1: e44dc82bc6c36bec3a4d70286d73c4521c534d72 SHA256: 47859f01529de4b40a18d0967add6b3bfcc58de85dbf51f2737ac60a82094d76	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\0fcb2df10ca6b6cb526033cf10c79b13.xzzx	46.69 KB (47806 bytes)	MD5: c0273bea1fe271b78d77935015117738 SHA1: 44168b8a7725834877f4aedfbc33bd024d02bc74 SHA256: 9779b2f54756480cad5849ff876167af65e86e44c43c5c9acafb187eaa13b2bd	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\d89af8f8162b0dae766745d41a4bf1f6.xzzx	0.65 KB (669 bytes)	MD5: 6c76f521e8052a2c0d16f400c5f392f6 SHA1: 1a2a0232c482bd36fe6145b428578d0c79c2f73d SHA256: bfb9ff0383a8d35f2f9ef548a90c43515fc50af1a8e3f3fa85d585427c61c49c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\f12649bc389976c6163ced043cce5b0e.xzzx	94.37 KB (96630 bytes)	MD5: 4e358143fb249a43799f967628295fbb SHA1: d30158fd564514919ed9a55a3789423939b0070f SHA256: 45f1b4f65948867edbb7114947a59667bfa6059287df2d97554fb104b3fab140	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\23b23ff43a95b5a94696d7543eb699f1.xzzx	42.71 KB (43730 bytes)	MD5: 7d1525739a5a47d9d5eb1360364c5aaa SHA1: 6bfc8fc2c5f6da17049072387b521f261c3b15cd SHA256: f1152588a7ad2781512b607cafeb9d9b3b3a9496f5c24e76793fad0b9e062afe	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\d0384500388b9600f42b1ae33cc07a48.xzzx	35.95 KB (36809 bytes)	MD5: a5a026fe74cbb136fef1cb833b1cda43 SHA1: 360732bac5ee32964fb942bb05e0c6db634c8220 SHA256: edeb847410ca033b7f2987c11c3597072600f998c6df602593857269655b2087	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\3a21fb2547cb7719582a8c7f4bec5b61.xzzx	28.00 KB (28673 bytes)	MD5: 7275ce7acb7f3f81f9f21a0c5ecf2705 SHA1: 697b8c06fe0fabb93462c8651eb0ad9cc7e45a06 SHA256: 9c1df9225e129ce2b8db1a4cb170dbeb31610bd41b241b6e762c6c513ae46614	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\02d7186c2a67434f1071035c2e882797.xzzx	9.21 KB (9432 bytes)	MD5: 804550e8001e7d53b6d770be9ca42b13 SHA1: b089f371135e64dee23157ed1b0c143f105dbfbe SHA256: 3c6cdc04520306938d618abb452c00594e5b89e6e98b4c4990987896c6e54a1b	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\0790b504415f6e976181b814459452df.xzzx	26.09 KB (26715 bytes)	MD5: 3331b52d364a9e4466a1c5c535bc4d8f SHA1: d534dd10677629f117dd1ba8bca275e4bdaace23 SHA256: 44638b9d357d79e83ce092d356d1b481fc387909e2688b2f23aaa6f2525f869c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\816af2da29d3ebef5d033a6e2df4d037.xzzx	14.53 KB (14882 bytes)	MD5: 95a530c63a7a514497274282375130a9 SHA1: 5c7f0ede7939812064de230a8611d7d2f2d72b56 SHA256: 72fdc59adb159c79b986e068e6726a9799eff311c9764364153c9645daceb5a7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\d1b4bdc437a182a42497439f3bc266ec.xzzx	62.57 KB (64071 bytes)	MD5: 8fc16b1ffef0d188c1a188886a5098a6 SHA1: 7e8037f4a55b65011b3bdeb45c04590938e69fcb SHA256: 3fbfac0d468a0702c3843735d3cadfd5fad1ed1f2e7c64877b432ce063ffe5ef	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\3509b27c28c34484e701f4a52d2d28cc.xzzx	11.05 KB (11317 bytes)	MD5: 597ab5b1ffc533de548dc25f2ee07ec3 SHA1: 37a7782a2b8d5c54d31ca5b208fb78e008cc4055 SHA256: 9398e3683eccca4eff90405b9307c99a8490e245d037f3fc1cfe41633d9610b6	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\18ef94cc2373db0bfe65ead427a8bf53.xzzx	7.52 KB (7698 bytes)	MD5: 4657fce65f8c9bc65dbd71d4c926f589 SHA1: ce11e2bfa1ea7755436e29e680954a8b40135aa7 SHA256: 34b39e9fe52e23ad6e7811a59b9b45e29c6dece1565ceccf33eade01da4f6176	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\5bbecda81a1e287c9df89f941e9e0cc4.xzzx	10.48 KB (10736 bytes)	MD5: 1dc8d677ee5344f021c9b333c20f122e SHA1: 0e7943508615aeca521fe0b08bf75f36ae8353b2 SHA256: ca2883b180d77e3d41d5f44e96c6f7c0d88effb49bcc5b1cdecdabe1e558d54f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\36d405da123e25ccefb9a7dd165f0a14.xzzx	7.44 KB (7622 bytes)	MD5: 836699ba89a0a5b5b1681da8a56ec663 SHA1: 72e9ec2de8942e0bd74a0a5ddae6f4907768a211 SHA256: fd813ade09c7ac193031b72537a6c00ded82ee77b086b9cab48b9801286e4d0c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\7b22a6161cbf8aa2c5439a5220f46eea.xzzx	47.46 KB (48603 bytes)	MD5: b4c67644d02d878f409214153fd2b6c0 SHA1: 08444d9c21db9fa78ef57565322feb6d038ad8fa SHA256: d6fc68cd66d47ff4e97e2bf2284e1fbbd889f74d769de9bb210abf1b1751c32c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\2ss69ds5b7dlsjshty0o\6b0fb14d2fcd29f7cf6e219f33ee0e3f.xzzx	87.30 KB (89392 bytes)	MD5: d2c138bdda877fbf4462cbf90e92d6f1 SHA1: 17fd56f4025bde384c595e41345e755721c6b01f SHA256: 2f766400303166cbeadcd011255fd9e563be3298a82fc4776c0878a5fd4d4773	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\o903hcw\60ca942226aa4a29961b00962adf2e71.xzzx	19.99 KB (20470 bytes)	MD5: bd94eb090d2af2e598bbc395f565c482 SHA1: 95b29139f506b5fc1996cb08a82a917965f7bea3 SHA256: 7c7567d149cbd3c3d5efb0d49cae5d6e734e8f27ccc2cdfb5e57c560741119a0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\o903hcw\e29c4433332b9d3db3332d67374c8185.xzzx	39.91 KB (40865 bytes)	MD5: 9bb5fd3d899b97b5bd4f7b76d1cf90cf SHA1: 49ad6628af65b573a3b4e140aedda62dca6a5fa6 SHA256: ef02398d08458affa027ac7ad182fbbf0b2ba98124a250cb5837ef26c3eb08b5	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\dtms 07a7aq-xeuh0\o903hcw\fbba7efe065ec5da534929ce0ac8aa22.xzzx	43.50 KB (44540 bytes)	MD5: 49ecd7884f0a2df5eab6568b8b60dc21 SHA1: 193260733bfadcedbe6a9a8db792595a3e408be9 SHA256: a3c2775c9707904f226c3afad21406a591036fada581daa84ca9de8eb0cf580f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\xarijr5atdl\db53a738127ccaebb87d0318169daf33.xzzx	97.68 KB (100024 bytes)	MD5: 5b7a9da311e90dd11ab82627ce8a27dc SHA1: 5803359577787bcf7ae282a1bbab6b9cbd2b3fa4 SHA256: 4a409fdd2b42d79481ea8caeb8991789776fc658e3e4b4f02ba6503b0af1934c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\xarijr5atdl\3b9fb280013c30bc79fe404005721504.xzzx	10.93 KB (11191 bytes)	MD5: cc4f877c76d57a18a17bea3354a5f616 SHA1: 86b6b0108ccd25b96495100055f8fe3d2e1a3e9b SHA256: 6b08b68edae066df78b307fb94f49c67f9fdd0632380f70e7c2107ba9de854ac	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\xarijr5atdl\adbc71e42fba59e00d479b5f33db3e28.xzzx	70.71 KB (72408 bytes)	MD5: 34296a05465eb4a28ba8478e78c39fce SHA1: 0b27d4152f0b0308cced733870cd6fe22f70b78b SHA256: 348c3dba179ddc8a2c4c0d5bb81e886afdfd7e5e76878a31a7cd9064249579a9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\bdd25f14384cc362cbd33ade3c6da7aa.xzzx	93.44 KB (95687 bytes)	MD5: 3289c077c99e642a1b267a1b060a3afd SHA1: 5e4f0ce86acfb7b720f20fbece6aeab07fa6a082 SHA256: e52a6ec5e67ffebc561f10a4e73918e8d91e4688250448a2ba03426f6cf660af	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\8181dc6820279a95628fb268245d7edd.xzzx	24.60 KB (25193 bytes)	MD5: f0a3b98bb1245eeeaaff13fc39635eff SHA1: 2c78334ac941f280ad5e346dd41202c41bda7e85 SHA256: 305b4ce3d21ff13a21874d32c30453600d5faf1e847659d801592e12aa75293c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\37e85546159c2e64b110da791a0612ac.xzzx	52.14 KB (53387 bytes)	MD5: d2adcf55c513781c3a0ff0aca1610a93 SHA1: c29e2e116b9a017537094c3606558b780da6549c SHA256: 107d60e5d312b72daa6cd8f07ba404c2b1b1c37625bb2486a57dc65f981e8a1f	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\89dd89fe1bc33afa435ca8a71fe81f42.xzzx	93.96 KB (96218 bytes)	MD5: 5ccf7d4e5a3ea00b039c7db57a91d20b SHA1: a6da62cfd14fce05dba048b0075bc090580e7a2a SHA256: 2597a5dadd07f0095f2a769dc58eb1c343dd894af0dd20618accdc1a92845793	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\wpc5n64xvm\04bf022041d4f9a43c1202c84609ddec.xzzx	65.51 KB (67087 bytes)	MD5: 6c8489d244a368498979a0cd5539ded4 SHA1: 3f6b769b7209fff99d1f7c531c8a657e66f3c89d SHA256: 1b184a04ebbb0dfdb2b9cd87e6f9acebb2a590bc6123c591cfd44726f1916df9	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\wpc5n64xvm\1cb22af03a177b10110664b53e3c5f58.xzzx	86.96 KB (89051 bytes)	MD5: 8a27e67fbb78157633b21d99f0c7282f SHA1: 7457b0c2e8e4b3118791ad6b3939d0058c7ed3fc SHA256: 0e5c9dfa5cdf5b9d8acb7684b179d3a2faf8985a889e01d1680aabd645d18975	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\wpc5n64xvm\7b5559382a0fd2b4c13f23862e44b6fc.xzzx	8.49 KB (8693 bytes)	MD5: 5e56780a1de42366d923fccefc6e06ae SHA1: 48aabba1a0a0f96caea07c5446bf15061608f557 SHA256: 6f0dd064e70b8baf81acb65512cdea5fc5347541cb2ffd7a619e81b774965eff	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\videos\z-_06k\wpc5n64xvm\e3086e520d4ee960428796111173cda8.xzzx	8.92 KB (9132 bytes)	MD5: 75c805096f37b62dacad6b6a70fddb1c SHA1: 388da3051632c38732ce931ddc5eb939c391f847 SHA256: 1319d7be3eda3975014e5099a83c900b830575f57b53ba1dc7cba5e4ef1d5b70	File Actions Show Properties Download
c:\users\public\9665d59245322dd390020d724953121b.xzzx	0.33 KB (339 bytes)	MD5: 0891752ebc90dac12b5b050aaab970ce SHA1: 852006f7332adb918603f644109950adc09e9cd3 SHA256: 67698a3c14bba57840b473f9af3667d969c1fcd1ccf9c42f8bb5c57a1004565a	File Actions Show Properties Download
c:\users\public\documents\94338bda105a8f7e16cc5903148f73c6.xzzx	0.43 KB (443 bytes)	MD5: 3fb369a47db4261bdc49e7e4a2a29f92 SHA1: ebbeb9a1fad843d79e1677b5e0eb7a9c4224ab1f SHA256: e357e3ce089f949aa8a0f6dba3c8db6f6cf500e5812221b5bfd656a58b74f75c	File Actions Show Properties Download
c:\users\public\downloads\bc1d727a30ed2409a03b25c6350e0851.xzzx	0.33 KB (339 bytes)	MD5: bcdd7b264e921d42ccaa60cd609d17b6 SHA1: 4f155b0d4ef3097015b5e98e4858f88fd2406b95 SHA256: 29394518a819e0de6cfa26c66940708cd4426df3d74450c7a95776bd72a8f874	File Actions Show Properties Download
c:\users\public\libraries\721728630b1f6bb259c033230f404ffa.xzzx	1.04 KB (1061 bytes)	MD5: 59ae19796ff834f91a4f14bbb53f58a6 SHA1: 00b2a15d997924601a522a3b353f9f817224bd24 SHA256: 0cdd2a9c7e81f46e9f0d9ae5a9428dd38e99d98c91ea605959d87efacb1495c3	File Actions Show Properties Download
c:\users\public\libraries\50c930c63ecf303723410a464304147f.xzzx	0.25 KB (253 bytes)	MD5: a2d1b66694eaf311747b3500d84f5a9d SHA1: 590a2c5977581ee81b162013290b8c71398ab99f SHA256: 49d99bba648588ce463e8e0107123eacad2b08b119e41b1e03ff3af8753f1a9b	File Actions Show Properties Download
c:\users\public\music\de133762273869a1ce952baa2b594de9.xzzx	0.53 KB (545 bytes)	MD5: ad44d7a777871689ca0f1fb07c37f371 SHA1: 2bf4ec3bc21bdab756efc16381fd45e4773ca079 SHA256: 22030c34b18471b52ed52c2fc9c177a827401a1694145e2904ef89dea12ba1cc	File Actions Show Properties Download
c:\users\public\music\sample music\b2babb8113becba807b8242f17f3aff0.xzzx	0.73 KB (751 bytes)	MD5: b184b55c67fe558a3f5689d1a4bacb69 SHA1: 148ecdde9f071747f28b789891330079eaa3b445 SHA256: a1d538d6b558f44b0fda34124437294a6b0717ac5f1467b23443c876b8b63e69	File Actions Show Properties Download
c:\users\public\music\sample music\1758a0bd1a6f8ce6b3a600c11e90712e.xzzx	8.02 MB (8414614 bytes)	MD5: b7b47dba0cb8bf928ed3d08ccea8506f SHA1: 969943096e8451a26ecfb1cb4068f033023143c9 SHA256: d29733d25d73923965d5a62de18c7b5d8658335bf59f9481ff4134a0daab8ebc	File Actions Show Properties Download
c:\users\public\pictures\4fe187580c1ceaecf1249fc21086cf34.xzzx	0.53 KB (545 bytes)	MD5: 6c348891000c92c184a4cee6af48111e SHA1: f51704a90830eb08eaa4004c13d5b923352ec198 SHA256: 500e1ba9f43a8dbf2aaa34c91c6145f36589817504b34468f9a2ead141a2bd81	File Actions Show Properties Download
c:\users\public\music\sample music\a308b77e2f1e65bb59ecacae33534a03.xzzx	3.92 MB (4114075 bytes)	MD5: a02aec4728613cce3cfcadbf233fa37b SHA1: 1a9d1276e9ce89bbb7d57f297caf4b3e7e44b2bf SHA256: ab30d9eca9fadbb58f5648817e0baa42355fb44929232471c6dbfb2900704942	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\28f3174e3d47a1acf4b1346741c785f4.xzzx	858.96 KB (879571 bytes)	MD5: 18378900f89e304a8d26f7043d19f7d3 SHA1: 15280c070e3d7d852e3374fc205723ab365ccfa5 SHA256: d46a6fba15dff761ae17b23f5623f57888f2f9cf89504e7afd38e5f100d803e1	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\d1fd6140114402301247cbc41572e678.xzzx	826.27 KB (846104 bytes)	MD5: 901b205094ff969c906d36f93e0dbd8c SHA1: 316e583d4f6c465f0a21d86964c9f7a7b18b8789 SHA256: a227140ced9d23d74f8c15458b3b636ec9144130d9b6f4414a23d25c045738a9	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\2980fdfd3d56218ae4f6e07941e605d2.xzzx	1.25 KB (1285 bytes)	MD5: cbf4876ed0c4c57bc0f6ef977287ee4a SHA1: 88c26d8c46c1796d5f90516ad6a202ab04cb96d8 SHA256: 2399c4394c79441c6711fc35c2983857bf00b774e851f0dbcd6dbe58698ac2ae	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\a59acd7b3af5e74b902550773f95cb93.xzzx	581.50 KB (595455 bytes)	MD5: ea2350eba4d19301ec89c2460a22cee3 SHA1: e194fe3ec1332f455df08db1cdb770df7238a547 SHA256: 8e7c6e5e4d579dcb083aeed29c16a6ecda7214ede3101adced6e75fc242485af	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\fa4bf7a60f1f0c98b1c0f8be134df0e0.xzzx	757.69 KB (775871 bytes)	MD5: 764563744807fcd3daafddfe57abac8f SHA1: d54d84c8bfe1d66e395e0f21196217236bf82e92 SHA256: 08cd68152727103af96698ec06376768cb2b77a80819ea7327ae3f602dde61ac	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\4bf5528040685af08ee9fd2844da3f38.xzzx	762.69 KB (780992 bytes)	MD5: d849c7084f501697a5c2197b24dcf0c4 SHA1: ee5519794478e2eff4c509bc63c1161dc83218fe SHA256: 3758284a663f556b3dc898173d4d26a37323dffffe6071b25f231a98acc16c13	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\0fc22e9a1aa1fd13e54a88961ec7e15b.xzzx	548.29 KB (561447 bytes)	MD5: 958344aa07574b253dd767216b61542c SHA1: 3322c081a58b29899c3ecef3e110e38d309c469c SHA256: 4d7c6a79e46fc0ebdb14a2465eb1a89edb45d4b0061126ce7b81068836fd9cf3	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\847d57104b178490f8f2d4b74fa568d8.xzzx	759.77 KB (778002 bytes)	MD5: fe91f819807b8ddf49e32596d9098f4e SHA1: 02d264420c5324baa0dd87f0cfe715bea928264b SHA256: d2fafd4d9dbac9208f1b6f8fe9e0e04953e08e91052530f7d9e4382047dc0ffb	File Actions Show Properties Download
c:\users\public\pictures\sample pictures\cdc4aaad0836755b78d170410ca859a3.xzzx	606.50 KB (621051 bytes)	MD5: b35c78eaccd098555e18b4c658cc0c06 SHA1: 4965df95e26ba0e597f8b993c5c95bc94d37aec2 SHA256: ca7beb4a5502023e82dca26fd0b3982091ba7384ee72345b6c2ea31446bb5ff8	File Actions Show Properties Download
c:\users\public\recorded tv\1edf30f91e98b984e23edaf123369dcc.xzzx	0.24 KB (245 bytes)	MD5: 0ee588dd9a445dce1444d14054f14fca SHA1: 880e4e3ca365ec2582600c8414151c628fb4f495 SHA256: ac395f6ac161e70b123d3b0cfea6b332efd736f1cc081c4fa9c9fba4244b157a	File Actions Show Properties Download
c:\users\public\recorded tv\sample media\39d4778c1ca7a7942937668620db8bdc.xzzx	0.33 KB (336 bytes)	MD5: 17de83ba5b884fb0273d4bbf87838ad7 SHA1: 6e94c974d05d6d76a510f8d166d052f613f9f614 SHA256: 447227d6d5b4a87a4436a47849afcde1d0ac2432ac46941e9123bce43e623a0b	File Actions Show Properties Download
c:\users\public\videos\9c0539442839caf8e19e36092cafaf40.xzzx	0.53 KB (545 bytes)	MD5: e5fbf8b2b37758c80fc28a8e46b8e0ad SHA1: 49682292020058e6b761843ec235fe5c9a06519a SHA256: 43508baf8ca3930d46c2a29f3549553c54579fab7d6e8a53272a7dff6294e5c3	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\public\music\sample music\kalimba.mp3	8.02 MB (8414614 bytes)	MD5: b7b47dba0cb8bf928ed3d08ccea8506f SHA1: 969943096e8451a26ecfb1cb4068f033023143c9 SHA256: d29733d25d73923965d5a62de18c7b5d8658335bf59f9481ff4134a0daab8ebc		File Actions Show Properties Download
c:\users\public\music\sample music\maid with the flaxen hair.mp3	3.92 MB (4114075 bytes)	MD5: a02aec4728613cce3cfcadbf233fa37b SHA1: 1a9d1276e9ce89bbb7d57f297caf4b3e7e44b2bf SHA256: ab30d9eca9fadbb58f5648817e0baa42355fb44929232471c6dbfb2900704942		File Actions Show Properties Download

Threads

Thread 0x550

(Host: 4390, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:03:07 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 16317	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75cf4f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75cf1252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75cf4208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75cf359f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x75cf4a2d	1	Fn
Window	Set Attribute	index = 18446744073709551612, new_long = 0	1	Fn
COM	Create	interface = 00000112-0000-0000-C000-000000000046, cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Class not registered	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Handle	module_name = c:\programdata\bce1010314.exe, base_address = 0x55820000	1	Fn
Window	Create	window_name = Press, class_name = BUTTON, wndproc_parameter = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
For performance reasons, the remaining 2202 entries are omitted. The remaining entries can be found in glog.xml.

Thread 0x7b4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x7c8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x7ec

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x6a4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x780

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x688

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x60c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x634

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x640

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x690

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini, size = 20, size_out = 20	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\DAE2CC280AF9F39884D63ACC0F1AD7E0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 103, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 104, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.ini	1	Fn

Thread 0x5cc

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, protection = PAGE_READWRITE, maximum_size = 0		1	Fn

Thread 0x870

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk, size = 486, size_out = 486	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 486	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\323285543E8B2CB8C06CF7B742AC1100.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 104, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 105, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Links\Desktop.lnk	1	Fn

Thread 0x878

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\2_r9zrnyCzzJ.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\2_r9zrnyCzzJ.mp3, size = 22344, size_out = 22344	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 22344	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\C1C4370F268A7D85910C485D2AAB61CD.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 105, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 106, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\2_r9zrnyCzzJ.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\2_r9zrnyCzzJ.mp3	1	Fn

Thread 0x8ac

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2--S BWBtG7 nG.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2--S BWBtG7 nG.mp3, size = 46298, size_out = 46298	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 46298	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2ADDD7CE37DE6C473ADF3B8E3BFF508F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 106, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 107, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2--S BWBtG7 nG.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\2--S BWBtG7 nG.mp3	1	Fn

Thread 0x8d4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav, size = 91071, size_out = 91071	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 91071	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\D02310330D7F24F9EA0895E311A00941.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 107, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 108, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\2zrMBovJou.wav	1	Fn

Thread 0x8d8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a, size = 31101, size_out = 31101	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 31101	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\83899D5A26F059DE25E7413F2B253E26.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 108, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 109, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\btD83YaGWQR.m4a	1	Fn

Thread 0x8dc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BtnyH.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BtnyH.mp3, size = 54133, size_out = 54133	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 54133	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7D698FE122EFCA3A766339E164FE0EB.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 109, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 110, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BtnyH.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BtnyH.mp3	1	Fn

Thread 0x8e0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\bTxozG6jGL89 vQ7JVm.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\bTxozG6jGL89 vQ7JVm.m4a, size = 65594, size_out = 65594	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 65594	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\BA853E823C01028A03C2DABB4021E6D2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 110, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 111, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\bTxozG6jGL89 vQ7JVm.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\bTxozG6jGL89 vQ7JVm.m4a	1	Fn

Thread 0x8e4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\dTOAV.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\dTOAV.wav, size = 98226, size_out = 98226	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 98226	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\ED39CAB90CE3C63A3EAEA7271104AA82.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 111, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 112, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\dTOAV.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\dTOAV.wav	1	Fn

Thread 0x8e8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\j3v_bMSa tx-.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\j3v_bMSa tx-.m4a, size = 70905, size_out = 70905	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 70905	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\64527B001382D7BF4D0A170017B7BC07.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 112, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 113, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\j3v_bMSa tx-.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\j3v_bMSa tx-.m4a	1	Fn

Thread 0x8ec

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\jtsnNF8Wy Jt.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\jtsnNF8Wy Jt.m4a, size = 37437, size_out = 37437	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 37437	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\3C85A2C827B882D0AC42F6272BD96718.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 113, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 114, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\jtsnNF8Wy Jt.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\jtsnNF8Wy Jt.m4a	1	Fn

Thread 0x8f0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\LuguQ9Fu8UwQPMQRFj.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\LuguQ9Fu8UwQPMQRFj.m4a, size = 36617, size_out = 36617	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 36617	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\C3E4F2C10C4D8EEA8EBC635B106E7332.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 114, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 115, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\LuguQ9Fu8UwQPMQRFj.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\LuguQ9Fu8UwQPMQRFj.m4a	1	Fn

Thread 0x8f4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\OPPnhBe-ZTrVhEG421.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\OPPnhBe-ZTrVhEG421.wav, size = 36872, size_out = 36872	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 36872	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\663067DE2A526ACA340DE0352E734F12.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 115, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 116, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\OPPnhBe-ZTrVhEG421.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\OPPnhBe-ZTrVhEG421.wav	1	Fn

Thread 0x8f8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\WWsZT9B6tKUn2DClW.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\WWsZT9B6tKUn2DClW.mp3, size = 13312, size_out = 13312	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 13312	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\B7FE604F2A0F001FC8BF560F2E43E467.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 116, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 117, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\WWsZT9B6tKUn2DClW.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\WWsZT9B6tKUn2DClW.mp3	1	Fn

Thread 0x8fc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\xN7YDKwcce9C5peK.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\xN7YDKwcce9C5peK.mp3, size = 4536, size_out = 4536	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 4536	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\38DC595E3788A5BA7503B1493BA98A02.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 117, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 118, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\xN7YDKwcce9C5peK.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\xN7YDKwcce9C5peK.mp3	1	Fn

Thread 0x900

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\zCdoEQ.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\zCdoEQ.wav, size = 86999, size_out = 86999	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 86999	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\6FB07FDE0CB60F86500F11CF10D6F3CE.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 118, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 119, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\zCdoEQ.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\zCdoEQ.wav	1	Fn

Thread 0x904

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\_iJcWlMQ1CRXwuy.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\_iJcWlMQ1CRXwuy.m4a, size = 75000, size_out = 75000	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 75000	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\06C3ECFB13862898AA23710517BB0CE0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 119, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 120, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\_iJcWlMQ1CRXwuy.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\_iJcWlMQ1CRXwuy.m4a	1	Fn

Thread 0x908

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3vgH.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3vgH.m4a, size = 73001, size_out = 73001	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 73001	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3006C810075ED0F01F3DE7C50B7FB538.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 120, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 121, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3vgH.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\3vgH.m4a	1	Fn

Thread 0x90c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\45 WvgNJuT9AYaRmo.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\45 WvgNJuT9AYaRmo.m4a, size = 11804, size_out = 11804	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 11804	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\FA78694804C1E3566FC4CB7C08F6C79E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 121, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 122, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\45 WvgNJuT9AYaRmo.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\45 WvgNJuT9AYaRmo.m4a	1	Fn

Thread 0x910

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\nvHO8po6UT1lfU646l.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\nvHO8po6UT1lfU646l.mp3, size = 24602, size_out = 24602	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 24602	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B02B14800A31A4C0C9DC8D360E528908.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 122, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 123, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\nvHO8po6UT1lfU646l.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\nvHO8po6UT1lfU646l.mp3	1	Fn

Thread 0x914

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\oCadhb.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\oCadhb.wav, size = 86173, size_out = 86173	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 86173	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\8F1540B007AB3EF89A8099C80BCC2340.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 123, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 124, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\oCadhb.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\oCadhb.wav	1	Fn

Thread 0x918

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\qEqtENZ.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\qEqtENZ.wav, size = 69885, size_out = 69885	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 69885	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\B1210AAA2257FEA8B6B1D3DD268CE2F0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 124, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 125, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\qEqtENZ.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\qEqtENZ.wav	1	Fn

Thread 0x91c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\S9Jj_mVynZU911YcI-J0.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\S9Jj_mVynZU911YcI-J0.wav, size = 43566, size_out = 43566	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 43566	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\04BBA0D020119813F8F6E49024327C5B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 125, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 126, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\S9Jj_mVynZU911YcI-J0.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Music\auOsV3M 9VtNbJuKze\9Y_m-oVB2IyYX\DqOPM\S9Jj_mVynZU911YcI-J0.wav	1	Fn

Thread 0x928

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0feLIIudH.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0feLIIudH.gif, size = 44562, size_out = 44562	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 44562	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C30CF4F82E58715357484B18328D559B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 127, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 128, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0feLIIudH.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0feLIIudH.gif	1	Fn

Thread 0x92c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0uVNLdVwplc802HWrb1.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0uVNLdVwplc802HWrb1.bmp, size = 37028, size_out = 37028	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 37028	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7EC795ED37AF1A88A52703F73BCFFED0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 126, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 127, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0uVNLdVwplc802HWrb1.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\0uVNLdVwplc802HWrb1.bmp	1	Fn

Thread 0x930

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2b2gQ2C3WuJEBl.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2b2gQ2C3WuJEBl.png, size = 40352, size_out = 40352	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 40352	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7030D20732FB05AE512C0EDB3744E9F6.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 128, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 129, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2b2gQ2C3WuJEBl.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2b2gQ2C3WuJEBl.png	1	Fn

Thread 0x934

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5X6u252V SzZ.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5X6u252V SzZ.gif, size = 101028, size_out = 101028	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 101028	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\2187C5602F1ADAF08D4383D0333BBF38.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 129, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 130, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5X6u252V SzZ.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5X6u252V SzZ.gif	1	Fn

Thread 0x938

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\9s0pX7t.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\9s0pX7t.png, size = 74207, size_out = 74207	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 74207	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3A2295CD2F8CD2DF95E7618733C2B727.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 130, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 131, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\9s0pX7t.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\9s0pX7t.png	1	Fn

Thread 0x93c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\aqn8.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\aqn8.gif, size = 67249, size_out = 67249	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 67249	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8F82071C3E6AA36071D28504428B87A8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 131, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 132, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\aqn8.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\aqn8.gif	1	Fn

Thread 0x940

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\azuNey.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\azuNey.jpg, size = 32242, size_out = 32242	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 32242	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C87868381959CC9C63DBF2EC1D8EB0E4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 132, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 133, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\azuNey.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\azuNey.jpg	1	Fn

Thread 0x944

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\B4vC-SYblpXq.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\B4vC-SYblpXq.bmp, size = 45391, size_out = 45391	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 45391	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\567FB4290F0A7CE338C9770B132B612B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 133, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 134, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\B4vC-SYblpXq.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\B4vC-SYblpXq.bmp	1	Fn

Thread 0x948

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bqBGtF.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bqBGtF.bmp, size = 8478, size_out = 8478	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 8478	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6C73D824191052A8389547C51D5A36F0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 134, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 135, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bqBGtF.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bqBGtF.bmp	1	Fn

Thread 0x94c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bz3TQY.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bz3TQY.png, size = 9610, size_out = 9610	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 9610	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6D777C541DA727448F863C8E21C80B8C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 136, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 137, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bz3TQY.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\bz3TQY.png	1	Fn

Thread 0x950

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dcuecnaq5mY4vS.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dcuecnaq5mY4vS.jpg, size = 92388, size_out = 92388	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 92388	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7E711D900E3B4440AF6B05F612702888.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 135, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 136, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dcuecnaq5mY4vS.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dcuecnaq5mY4vS.jpg	1	Fn

Thread 0x954

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini, size = 504, size_out = 504	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 504	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F9ECB5D32975DBFCFCC9E4D92DBFC044.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 137, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 138, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\desktop.ini	1	Fn

Thread 0x958

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\diyvOkO.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\diyvOkO.gif, size = 19535, size_out = 19535	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 19535	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C22D6D6701D063BFF430045506304807.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 138, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 139, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\diyvOkO.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\diyvOkO.gif	1	Fn

Thread 0x95c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\d_ywXujVU Wq1E.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\d_ywXujVU Wq1E.jpg, size = 22863, size_out = 22863	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 22863	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6274BC861B7171923C3788AB1F9255DA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 139, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 140, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\d_ywXujVU Wq1E.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\d_ywXujVU Wq1E.jpg	1	Fn

Thread 0x960

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\E mrX_4M3P5jMLSuXG.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\E mrX_4M3P5jMLSuXG.bmp, size = 50382, size_out = 50382	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 50382	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\8FACB48C4470F6BE344BE4A448A5DB06.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 140, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 141, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\E mrX_4M3P5jMLSuXG.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\E mrX_4M3P5jMLSuXG.bmp	1	Fn

Thread 0x964

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FFqA4 2WndIy.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FFqA4 2WndIy.gif, size = 30992, size_out = 30992	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 30992	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\90EAB1CE03D6A9CCF759AEE907F78E14.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 141, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 142, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FFqA4 2WndIy.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FFqA4 2WndIy.gif	1	Fn

Thread 0x968

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\fTtF.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\fTtF.bmp, size = 46854, size_out = 46854	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 46854	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7852C7A011E028AD2E2E29A016150CF5.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 142, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 143, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\fTtF.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\fTtF.bmp	1	Fn

Thread 0x96c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\g43hR4r2QCQPskvQatT.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\g43hR4r2QCQPskvQatT.png, size = 27415, size_out = 27415	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 27415	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D59AAFC73FFFF3FE126A516D4420D846.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 143, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 144, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\g43hR4r2QCQPskvQatT.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\g43hR4r2QCQPskvQatT.png	1	Fn

Thread 0x970

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ghz9u7C.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ghz9u7C.png, size = 2490, size_out = 2490	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 2490	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\5C36794D2643414F2FE671172A8D2597.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 144, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 145, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ghz9u7C.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ghz9u7C.png	1	Fn

Thread 0x974

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\gpnG5_ q-ZTGc_4b76b.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\gpnG5_ q-ZTGc_4b76b.png, size = 20403, size_out = 20403	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 20403	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\6E0684500109FC98CFD71110053FE0E0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 145, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 146, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\gpnG5_ q-ZTGc_4b76b.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\gpnG5_ q-ZTGc_4b76b.png	1	Fn

Thread 0x978

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hl35zcYZE.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hl35zcYZE.bmp, size = 84612, size_out = 84612	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 84612	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A74BC39B153F2E46BB66A40D1960128E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 146, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 147, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hl35zcYZE.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hl35zcYZE.bmp	1	Fn

Thread 0x97c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Hx4D_z73m1pGCpzIPXzy.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Hx4D_z73m1pGCpzIPXzy.bmp, size = 46751, size_out = 46751	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 46751	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D2FBB85013E759FE97CF4AF0181D3E46.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 147, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 148, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Hx4D_z73m1pGCpzIPXzy.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Hx4D_z73m1pGCpzIPXzy.bmp	1	Fn

Thread 0x980

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\k3NI.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\k3NI.jpg, size = 59038, size_out = 59038	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 59038	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7F23998A1ACAB3E49F720F0B1EEB982C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 148, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 149, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\k3NI.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\k3NI.jpg	1	Fn

Thread 0x984

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kfqhp.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kfqhp.png, size = 33416, size_out = 33416	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 33416	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\BD094FF047045CCAB6A2A1584B394112.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 149, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 150, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kfqhp.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kfqhp.png	1	Fn

Thread 0x988

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\LiEtBonze.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\LiEtBonze.png, size = 94298, size_out = 94298	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 94298	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D5D72CD040472A6053677EF544680EA8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 150, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 151, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\LiEtBonze.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\LiEtBonze.png	1	Fn

Thread 0x98c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\mXMMLg1uw.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\mXMMLg1uw.bmp, size = 68967, size_out = 68967	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 68967	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\615936DC32228B708230065136576FB8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 151, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 152, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\mXMMLg1uw.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\mXMMLg1uw.bmp	1	Fn

Thread 0x990

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\oEKbZ-fUq6tWCg3E9gms.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\oEKbZ-fUq6tWCg3E9gms.gif, size = 48038, size_out = 48038	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 48038	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4EC1B3383CF01EB849835EF241110300.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 152, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 153, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\oEKbZ-fUq6tWCg3E9gms.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\oEKbZ-fUq6tWCg3E9gms.gif	1	Fn

Thread 0x994

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\pDGmGQvtKPZ_ns.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\pDGmGQvtKPZ_ns.gif, size = 2567, size_out = 2567	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 2567	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\7ABC26D22C977F5CF918EABE30B863A4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 153, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 154, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\pDGmGQvtKPZ_ns.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\pDGmGQvtKPZ_ns.gif	1	Fn

Thread 0x998

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\PTV-5E.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\PTV-5E.jpg, size = 9425, size_out = 9425	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 9425	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\F28BD0F0084D975830F3B58E0C6E7BA0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 154, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 155, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\PTV-5E.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\PTV-5E.jpg	1	Fn

Thread 0x99c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VL2r.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VL2r.jpg, size = 31259, size_out = 31259	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 31259	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FBB049370C08D85D799956BD1029BCA5.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 155, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 156, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VL2r.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VL2r.jpg	1	Fn

Thread 0x9a0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VUaHmntzHPrBw9rs6O1.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VUaHmntzHPrBw9rs6O1.jpg, size = 100592, size_out = 100592	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 100592	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\609D61282FED0EE4AFD8291A340DF32C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 156, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 157, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VUaHmntzHPrBw9rs6O1.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VUaHmntzHPrBw9rs6O1.jpg	1	Fn

Thread 0x9a4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\wbMFjBguMLJG3mRfnnUn.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\wbMFjBguMLJG3mRfnnUn.bmp, size = 26048, size_out = 26048	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 26048	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1698FA38038EB2CD51213BC807C39715.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 157, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 158, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\wbMFjBguMLJG3mRfnnUn.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\wbMFjBguMLJG3mRfnnUn.bmp	1	Fn

Thread 0x9a8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\XL uwZp2bbBe4jnmB.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\XL uwZp2bbBe4jnmB.png, size = 51910, size_out = 51910	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 51910	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\D3D882303025B5406F9968D234469988.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 158, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 159, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\XL uwZp2bbBe4jnmB.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\XL uwZp2bbBe4jnmB.png	1	Fn

Thread 0x9ac

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y5Mqnfp y9ox7lXm62.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y5Mqnfp y9ox7lXm62.png, size = 60400, size_out = 60400	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 60400	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1971D3BF09924C93CB17194F0DC730DB.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 159, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 160, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y5Mqnfp y9ox7lXm62.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y5Mqnfp y9ox7lXm62.png	1	Fn

Thread 0x9b0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yj-AfpoJM9u50s86.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yj-AfpoJM9u50s86.png, size = 56571, size_out = 56571	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 56571	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\C355F5402BEDF72E504955A0300EDB76.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 160, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 161, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yj-AfpoJM9u50s86.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yj-AfpoJM9u50s86.png	1	Fn

Thread 0x9b4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ylARzGL.png, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ylARzGL.png, size = 47459, size_out = 47459	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 47459	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\693610CE0E824D54F2368B0112B7319C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 161, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 162, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ylARzGL.png	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ylARzGL.png	1	Fn

Thread 0x9b8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini, size = 282, size_out = 282	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 282	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\C8D828EF44C6B909469A8E7948E79D51.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 162, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 163, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games\desktop.ini	1	Fn

Thread 0x9bc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini, size = 524, size_out = 524	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 524	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\07542892440C59CA51177AF248413E12.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 163, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 164, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\desktop.ini	1	Fn

Thread 0x9c0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms, size = 248, size_out = 248	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 248	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\22BE9D582E5129D8AA7CE5BC32720E20.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 164, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 165, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms	1	Fn

Thread 0x9c4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms, size = 248, size_out = 248	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 248	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 54	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\86A958F52BA3FCF7083CB8732FD8E13F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 165, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 166, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms	1	Fn

Thread 0x9c8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D30YP5u1qzg5-VZ7306q.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D30YP5u1qzg5-VZ7306q.mkv, size = 47615, size_out = 47615	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 47615	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\0FCB2DF10CA6B6CB526033CF10C79B13.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 166, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 167, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D30YP5u1qzg5-VZ7306q.mkv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D30YP5u1qzg5-VZ7306q.mkv	1	Fn

Thread 0x9cc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini, size = 504, size_out = 504	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 504	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D89AF8F8162B0DAE766745D41A4BF1F6.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 167, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 168, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\desktop.ini	1	Fn

Thread 0x9d4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\J20J9-k9Q1AQR.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\J20J9-k9Q1AQR.swf, size = 96453, size_out = 96453	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 96453	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\F12649BC389976C6163CED043CCE5B0E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 168, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 169, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\J20J9-k9Q1AQR.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\J20J9-k9Q1AQR.swf	1	Fn

Thread 0x9d8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\l0jm8.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\l0jm8.avi, size = 43569, size_out = 43569	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 43569	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\23B23FF43A95B5A94696D7543EB699F1.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 169, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 170, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\l0jm8.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\l0jm8.avi	1	Fn

Thread 0x9dc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\s2dwcVO_4E6w.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\s2dwcVO_4E6w.flv, size = 36634, size_out = 36634	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 36634	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\D0384500388B9600F42B1AE33CC07A48.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 170, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 171, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\s2dwcVO_4E6w.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\s2dwcVO_4E6w.flv	1	Fn

Thread 0x9e0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\zpPjma0L3Hj-_nB.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\zpPjma0L3Hj-_nB.mp4, size = 28492, size_out = 28492	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 28492	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3A21FB2547CB7719582A8C7F4BEC5B61.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 171, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 172, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\zpPjma0L3Hj-_nB.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\zpPjma0L3Hj-_nB.mp4	1	Fn

Thread 0x9e4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2 mjBTvZEWz.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2 mjBTvZEWz.swf, size = 9259, size_out = 9259	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 9259	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\02D7186C2A67434F1071035C2E882797.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 172, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 173, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2 mjBTvZEWz.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2 mjBTvZEWz.swf	1	Fn

Thread 0x9e8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\92y tDp.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\92y tDp.avi, size = 26548, size_out = 26548	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 26548	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\0790B504415F6E976181B814459452DF.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 173, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 174, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\92y tDp.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\92y tDp.avi	1	Fn

Thread 0x9ec

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\ArnUUg6o.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\ArnUUg6o.mkv, size = 14715, size_out = 14715	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 14715	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\816AF2DA29D3EBEF5D033A6E2DF4D037.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 174, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 175, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\ArnUUg6o.mkv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\ArnUUg6o.mkv	1	Fn

Thread 0x9f0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7TSkSEjcLf8xikPUr.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7TSkSEjcLf8xikPUr.avi, size = 63886, size_out = 63886	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 63886	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\D1B4BDC437A182A42497439F3BC266EC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 175, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 176, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7TSkSEjcLf8xikPUr.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7TSkSEjcLf8xikPUr.avi	1	Fn

Thread 0x9fc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\bAFZ2xGuKI.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\bAFZ2xGuKI.swf, size = 7527, size_out = 7527	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 7527	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\18EF94CC2373DB0BFE65EAD427A8BF53.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 177, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 178, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\bAFZ2xGuKI.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\bAFZ2xGuKI.swf	1	Fn

Thread 0xa0c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\ibE0v-Egfbu047ynw.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\ibE0v-Egfbu047ynw.swf, size = 11132, size_out = 11132	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 11132	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\3509B27C28C34484E701F4A52D2D28CC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 176, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 177, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\ibE0v-Egfbu047ynw.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\ibE0v-Egfbu047ynw.swf	1	Fn

Thread 0xa14

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\MI1L.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\MI1L.flv, size = 10577, size_out = 10577	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 10577	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\5BBECDA81A1E287C9DF89F941E9E0CC4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 178, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 179, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\MI1L.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\MI1L.flv	1	Fn

Thread 0xa24

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\No0nJ8TKbF9hYhiurGN.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\No0nJ8TKbF9hYhiurGN.mp4, size = 7433, size_out = 7433	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 7433	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\36D405DA123E25CCEFB9A7DD165F0A14.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 179, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 180, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\No0nJ8TKbF9hYhiurGN.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\No0nJ8TKbF9hYhiurGN.mp4	1	Fn

Thread 0xa30

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\q_QGnOQQGbujC4p8q.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\q_QGnOQQGbujC4p8q.swf, size = 48418, size_out = 48418	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 48418	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\7B22A6161CBF8AA2C5439A5220F46EEA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 180, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 181, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\q_QGnOQQGbujC4p8q.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\q_QGnOQQGbujC4p8q.swf	1	Fn

Thread 0xa44

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\wMr3QKnu.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\wMr3QKnu.mp4, size = 89225, size_out = 89225	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 89225	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\6B0FB14D2FCD29F7CF6E219F33EE0E3F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 181, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 182, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\wMr3QKnu.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\2SS69ds5b7DlSJShTY0o\wMr3QKnu.mp4	1	Fn

Thread 0xa48

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\5Cc08SMWT PKYNwSj.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\5Cc08SMWT PKYNwSj.swf, size = 20285, size_out = 20285	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 20285	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\60CA942226AA4A29961B00962ADF2E71.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 182, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 183, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\5Cc08SMWT PKYNwSj.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\5Cc08SMWT PKYNwSj.swf	1	Fn

Thread 0xa4c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\i2GwNYb4B.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\i2GwNYb4B.mp4, size = 40696, size_out = 40696	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 40696	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\E29C4433332B9D3DB3332D67374C8185.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 183, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 184, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\i2GwNYb4B.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\i2GwNYb4B.mp4	1	Fn

Thread 0xa50

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\NxtD.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\NxtD.flv, size = 44381, size_out = 44381	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 44381	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\FBBA7EFE065EC5DA534929CE0AC8AA22.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 184, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 185, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\NxtD.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\DTMS 07a7Aq-XEUh0\O903hcW\NxtD.flv	1	Fn

Thread 0xa54

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\6OPfc4qVaMTq.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\6OPfc4qVaMTq.flv, size = 99849, size_out = 99849	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 99849	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\DB53A738127CCAEBB87D0318169DAF33.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 185, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 186, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\6OPfc4qVaMTq.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\6OPfc4qVaMTq.flv	1	Fn

Thread 0xa58

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\MyRwYX_9-WNJ1OXdc1N.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\MyRwYX_9-WNJ1OXdc1N.mp4, size = 11002, size_out = 11002	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 11002	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\3B9FB280013C30BC79FE404005721504.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 186, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 187, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\MyRwYX_9-WNJ1OXdc1N.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\MyRwYX_9-WNJ1OXdc1N.mp4	1	Fn

Thread 0xa5c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\yXpEf4.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\yXpEf4.mkv, size = 72245, size_out = 72245	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 72245	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\ADBC71E42FBA59E00D479B5F33DB3E28.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 187, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 188, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\yXpEf4.mkv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\xAriJR5aTdl\yXpEf4.mkv	1	Fn

Thread 0xa60

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8bunT0Nrx1v M.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8bunT0Nrx1v M.avi, size = 25016, size_out = 25016	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 25016	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8181DC6820279A95628FB268245D7EDD.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 189, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 190, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8bunT0Nrx1v M.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\8bunT0Nrx1v M.avi	1	Fn

Thread 0xa64

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\aC_Ja4AvvNCLsQMnj7.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\aC_Ja4AvvNCLsQMnj7.swf, size = 95500, size_out = 95500	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 95500	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\BDD25F14384CC362CBD33ADE3C6DA7AA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 188, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 189, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\aC_Ja4AvvNCLsQMnj7.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\aC_Ja4AvvNCLsQMnj7.swf	1	Fn

Thread 0xa68

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\bjQVhKZ0dfp8gRtn_Z.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\bjQVhKZ0dfp8gRtn_Z.flv, size = 53200, size_out = 53200	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 53200	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\37E85546159C2E64B110DA791A0612AC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 190, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 191, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\bjQVhKZ0dfp8gRtn_Z.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\bjQVhKZ0dfp8gRtn_Z.flv	1	Fn

Thread 0xa6c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\xTAGaGiIpU.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\xTAGaGiIpU.mp4, size = 96047, size_out = 96047	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 96047	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\89DD89FE1BC33AFA435CA8A71FE81F42.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 191, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 192, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\xTAGaGiIpU.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\xTAGaGiIpU.mp4	1	Fn

Thread 0xa70

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\AmR.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\AmR.swf, size = 66930, size_out = 66930	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 66930	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 14	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\04BF022041D4F9A43C1202C84609DDEC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 192, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 193, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\AmR.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\AmR.swf	1	Fn

Thread 0xa74

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\fJw1HV.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\fJw1HV.flv, size = 88888, size_out = 88888	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 88888	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\1CB22AF03A177B10110664B53E3C5F58.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 193, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 194, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\fJw1HV.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\fJw1HV.flv	1	Fn

Thread 0xa78

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\Moq53i08kUE_j1CIf3Zg.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\Moq53i08kUE_j1CIf3Zg.avi, size = 8502, size_out = 8502	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 8502	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\7B5559382A0FD2B4C13F23862E44B6FC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 194, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 195, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\Moq53i08kUE_j1CIf3Zg.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\Moq53i08kUE_j1CIf3Zg.avi	1	Fn

Thread 0xa7c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\v9PzrbehuH3KFc.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\v9PzrbehuH3KFc.mp4, size = 8953, size_out = 8953	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 8953	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 36	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\E3086E520D4EE960428796111173CDA8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 195, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 196, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\v9PzrbehuH3KFc.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Videos\Z-_06k\wpc5n64XVm\v9PzrbehuH3KFc.mp4	1	Fn

Thread 0xa80

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa84

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa88

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa8c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa90

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa94

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa98

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xa9c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaa0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\Administrator.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaa4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xab0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xab4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xab8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xabc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xac0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\Web Slice Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xac4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xac8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xacc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xad0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xad4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xad8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Autos.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xadc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Entertainment.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xae0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Money.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xae4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Sports.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xae8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaec

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSNBC News.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaf0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Get Windows Live.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaf4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xaf8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Mail.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xafc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Spaces.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb00

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb04

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\Desktop.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb08

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\Downloads.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb10

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\RecentPlaces.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb14

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb18

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb1c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Saved Games\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb20

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb24

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\Everywhere.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb28

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\Indexed Locations.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb2c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xb30

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\desktop.ini, size = 174, size_out = 174	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 174	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\9665D59245322DD390020D724953121B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 196, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 197, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\desktop.ini	1	Fn

Thread 0xb38

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Documents\desktop.ini, size = 278, size_out = 278	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 278	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Documents\94338BDA105A8F7E16CC5903148F73C6.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 197, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 198, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Documents\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Documents\desktop.ini	1	Fn

Thread 0xb3c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Downloads\desktop.ini, size = 174, size_out = 174	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 174	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Downloads\BC1D727A30ED2409A03B25C6350E0851.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 198, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 199, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Downloads\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Downloads\desktop.ini	1	Fn

Thread 0xb40

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Libraries\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Libraries\desktop.ini, size = 88, size_out = 88	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 88	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\50C930C63ECF303723410A464304147F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 200, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 201, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Libraries\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Libraries\desktop.ini	1	Fn

Thread 0xb44

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Libraries\RecordedTV.library-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Libraries\RecordedTV.library-ms, size = 876, size_out = 876	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 876	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Libraries\721728630B1F6BB259C033230F404FFA.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 199, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 200, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Libraries\RecordedTV.library-ms	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Libraries\RecordedTV.library-ms	1	Fn

Thread 0xb48

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Music\desktop.ini, size = 380, size_out = 380	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Music\DE133762273869A1CE952BAA2B594DE9.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 380	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 201, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 202, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Music\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Music\desktop.ini	1	Fn

Thread 0xb4c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini, size = 586, size_out = 586	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 586	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\B2BABB8113BECBA807B8242F17F3AFF0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 202, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 203, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Music\Sample Music\desktop.ini	1	Fn

Thread 0xb50

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, process_name = c:\programdata\bce1010314.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
Module	Unmap	process_name = c:\programdata\bce1010314.exe	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Users\Public\Music\Sample Music\Kalimba.mp3, destination_filename = \\?\C:\Users\Public\Music\Sample Music\1758A0BD1A6F8CE6B3A600C11E90712E.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 203, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 204, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xb54

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, process_name = c:\programdata\bce1010314.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
Module	Unmap	process_name = c:\programdata\bce1010314.exe	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, size = 58	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3, destination_filename = \\?\C:\Users\Public\Music\Sample Music\A308B77E2F1E65BB59ECACAE33534A03.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 205, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 206, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xb58

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, process_name = c:\programdata\bce1010314.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
Module	Unmap	process_name = c:\programdata\bce1010314.exe	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Users\Public\Music\Sample Music\Sleep Away.mp3, destination_filename = \\?\C:\Users\Public\Music\Sample Music\37DA6C30402385B0E323002B44E969F8.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 219, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 220, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xb5c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\desktop.ini, size = 380, size_out = 380	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\4FE187580C1CEAECF1249FC21086CF34.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 380	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 204, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 205, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\desktop.ini	1	Fn

Thread 0xb60

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg, size = 879394, size_out = 879394	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 879394	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\28F3174E3D47A1ACF4B1346741C785F4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 206, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 207, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg	1	Fn

Thread 0xb64

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Desert.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Desert.jpg, size = 845941, size_out = 845941	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 845941	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\D1FD6140114402301247CBC41572E678.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 207, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 208, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	1	Fn

Thread 0xb68

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\desktop.ini, size = 1120, size_out = 1120	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 1120	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\2980FDFD3D56218AE4F6E07941E605D2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 208, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 209, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1	Fn

Thread 0xb6c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg, size = 595284, size_out = 595284	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 595284	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\A59ACD7B3AF5E74B902550773F95CB93.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 209, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 210, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	1	Fn

Thread 0xb70

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg, size = 775702, size_out = 775702	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 775702	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\FA4BF7A60F1F0C98B1C0F8BE134DF0E0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 210, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 211, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	1	Fn

Thread 0xb74

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Koala.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Koala.jpg, size = 780831, size_out = 780831	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 780831	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\4BF5528040685AF08EE9FD2844DA3F38.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 211, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 212, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	1	Fn

Thread 0xb78

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg, size = 561276, size_out = 561276	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 561276	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\0FC22E9A1AA1FD13E54A88961EC7E15B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 212, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 213, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	1	Fn

Thread 0xb7c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg, size = 777835, size_out = 777835	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 777835	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\847D57104B178490F8F2D4B74FA568D8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 213, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 214, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg	1	Fn

Thread 0xb80

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg, size = 620888, size_out = 620888	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 620888	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\CDC4AAAD0836755B78D170410CA859A3.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 214, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 215, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg	1	Fn

Thread 0xb84

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Recorded TV\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Recorded TV\desktop.ini, size = 80, size_out = 80	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 80	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\1EDF30F91E98B984E23EDAF123369DCC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 215, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 216, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Recorded TV\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Recorded TV\desktop.ini	1	Fn

Thread 0xb88

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\desktop.ini, size = 171, size_out = 171	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 171	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\39D4778C1CA7A7942937668620DB8BDC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 216, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 217, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1	Fn

Thread 0xb8c

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, process_name = c:\programdata\bce1010314.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
Module	Unmap	process_name = c:\programdata\bce1010314.exe	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, size = 58	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv, destination_filename = \\?\C:\Users\Public\Recorded TV\Sample Media\27FBCCFF13BC6B6F6D9AE66F18224FB7.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 220, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 221, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xb90

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Videos\desktop.ini, size = 380, size_out = 380	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 380	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\9C0539442839CAF8E19E36092CAFAF40.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 217, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 218, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Videos\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Videos\desktop.ini	1	Fn

Thread 0xb94

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Videos\Sample Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\Public\Videos\Sample Videos\desktop.ini, size = 326, size_out = 326	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 326	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\AE3F22464654D223AFF867CA4A80B66B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 218, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 219, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Videos\Sample Videos\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\Public\Videos\Sample Videos\desktop.ini	1	Fn

Thread 0xb98

(Host: 24, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, protection = PAGE_READWRITE, maximum_size = 0	1	Fn
Module	Map	\\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, process_name = c:\programdata\bce1010314.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
Module	Unmap	process_name = c:\programdata\bce1010314.exe	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Ȇ	1	Fn
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, size = 5	1	Fn Data
File	Move	source_filename = \\?\C:\Users\Public\Videos\Sample Videos\Wildlife.wmv, destination_filename = \\?\C:\Users\Public\Videos\Sample Videos\168E33E2343B04A525B9D9AE38C0E8ED.XZZX, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 221, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 222, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xbac

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbb0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbb4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbc4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbc8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbcc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbd0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbd4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbd8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xbf8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3wes.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3wes.gif, size = 73509, size_out = 73509	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 73509	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3249DFC4336570C648854B1C3600550E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 222, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 223, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3wes.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3wes.gif	1	Fn

Thread 0xbfc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cjwLkHotFDrB.csv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cjwLkHotFDrB.csv, size = 82839, size_out = 82839	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 82839	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\831028C931A43BD1AECC4481344F2019.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 223, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 224, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cjwLkHotFDrB.csv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cjwLkHotFDrB.csv	1	Fn

Thread 0x328

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CtU1cr28O6YeLq5MF4zr.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CtU1cr28O6YeLq5MF4zr.mp3, size = 71402, size_out = 71402	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 71402	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\5BD0D8BC3761C5798DBF782C3A2CA9C1.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 224, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 225, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CtU1cr28O6YeLq5MF4zr.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CtU1cr28O6YeLq5MF4zr.mp3	1	Fn

Thread 0x404

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\desktop.ini, size = 282, size_out = 282	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 282	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\332EDF2812729F5E1FC79588150D83A6.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 225, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 226, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\desktop.ini	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\desktop.ini	1	Fn

Thread 0x448

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FNPUDpYy3rwMi.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FNPUDpYy3rwMi.flv, size = 54191, size_out = 54191	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 54191	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF31D96F11ED2C2F0C02623D14881077.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 226, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 227, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FNPUDpYy3rwMi.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FNPUDpYy3rwMi.flv	1	Fn

Thread 0x7f4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FzoKie.rtf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FzoKie.rtf, size = 3703, size_out = 3703	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 3703	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DD2F494808F07B7C068185820B9B5FC4.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 227, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 228, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FzoKie.rtf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FzoKie.rtf	1	Fn

Thread 0x444

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jkGAH7YstwIc6lZC9j.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jkGAH7YstwIc6lZC9j.gif, size = 10457, size_out = 10457	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 10457	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3AB0A51A1E38C5C557A2A45220D3AA0D.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 228, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 229, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jkGAH7YstwIc6lZC9j.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\jkGAH7YstwIc6lZC9j.gif	1	Fn

Thread 0x890

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\JYsb.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\JYsb.gif, size = 58542, size_out = 58542	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 58542	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7EB57C7406D4CAEAFAE6B2D2099FAF32.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 229, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 230, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\JYsb.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\JYsb.gif	1	Fn

Thread 0xa10

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Lj26CzXci-whK31.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Lj26CzXci-whK31.wav, size = 82671, size_out = 82671	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 82671	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\992D94E80C53825AE241BB580EEE66A2.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 230, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 231, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Lj26CzXci-whK31.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Lj26CzXci-whK31.wav	1	Fn

Thread 0xa34

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NvEcGQE86DZ.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NvEcGQE86DZ.flv, size = 58998, size_out = 58998	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 58998	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E50598804514D2A02376220C47BFB6E8.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 231, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 232, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NvEcGQE86DZ.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NvEcGQE86DZ.flv	1	Fn

Thread 0xa40

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oNjA8Krckm-Uh1s9B5p.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oNjA8Krckm-Uh1s9B5p.mkv, size = 2992, size_out = 2992	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 2992	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\BB588F142896CA4D429F9F1C2B61AE95.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 232, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 233, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oNjA8Krckm-Uh1s9B5p.mkv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oNjA8Krckm-Uh1s9B5p.mkv	1	Fn

Thread 0xb0c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oVGbbCOCJnt_S.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oVGbbCOCJnt_S.bmp, size = 97796, size_out = 97796	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 97796	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 34	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\297441CE2F3A13CA3B4881DA31D4F812.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 234, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 235, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oVGbbCOCJnt_S.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\oVGbbCOCJnt_S.bmp	1	Fn

Thread 0x2cc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\P2Yd7s y0s0iE3pixbWf.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\P2Yd7s y0s0iE3pixbWf.mp4, size = 76004, size_out = 76004	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 76004	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 48	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\B4B65B2031FA98E00EE8EF9234A57D28.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 233, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 234, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\P2Yd7s y0s0iE3pixbWf.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\P2Yd7s y0s0iE3pixbWf.mp4	1	Fn

Thread 0x118

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qWhs9jNagvnL0I2S.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qWhs9jNagvnL0I2S.avi, size = 58258, size_out = 58258	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 58258	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 40	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\9C15BB57408998F37E04B2C943547D3B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 235, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 236, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qWhs9jNagvnL0I2S.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\qWhs9jNagvnL0I2S.avi	1	Fn

Thread 0x1c8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\R29FEAYxqzGKfm4iuq.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\R29FEAYxqzGKfm4iuq.wav, size = 52391, size_out = 52391	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 52391	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\D93E01F80BAD2630B7A5A4810E480A78.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 236, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 237, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\R29FEAYxqzGKfm4iuq.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\R29FEAYxqzGKfm4iuq.wav	1	Fn

Thread 0x210

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\RcaCR.avi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\RcaCR.avi, size = 35084, size_out = 35084	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 35084	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7CD429BC1D46C7CC2845AFAE1FF1AC14.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 237, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 238, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\RcaCR.avi	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\RcaCR.avi	1	Fn

Thread 0x124

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\SdgI3.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\SdgI3.mp4, size = 57604, size_out = 57604	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 57604	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\3DAB86532684748B01DC4141291F58D3.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 238, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 239, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\SdgI3.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\SdgI3.mp4	1	Fn

Thread 0xc0

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\XaK4rq6FxAm.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\XaK4rq6FxAm.gif, size = 38492, size_out = 38492	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 38492	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DF36633018C45D50D22CF61F1B5F4198.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 239, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 240, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\XaK4rq6FxAm.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\XaK4rq6FxAm.gif	1	Fn

Thread 0xc4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe, size = 223232, size_out = 223232	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 223232	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\E81AA92127D9DDF67EDCD7852A74C23E.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 240, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 241, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xzzx_cryptMix.vir.exe	1	Fn

Thread 0x90

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ya6Z9poxN.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ya6Z9poxN.swf, size = 81113, size_out = 81113	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 81113	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\4F7E052E193A3049491669EE1BD51491.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 241, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 242, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ya6Z9poxN.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ya6Z9poxN.swf	1	Fn

Thread 0x500

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ym0OWp.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ym0OWp.ods, size = 4885, size_out = 4885	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 4885	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CB04B3811A6F8BBEE0B0B6D31D1A7006.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 242, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 243, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ym0OWp.ods	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ym0OWp.ods	1	Fn

Thread 0x5a4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YmOf4LXrg2cAXUtOgh.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YmOf4LXrg2cAXUtOgh.m4a, size = 28199, size_out = 28199	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 28199	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\2E75F0001166B900C846E8C014019D48.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 243, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 244, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YmOf4LXrg2cAXUtOgh.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YmOf4LXrg2cAXUtOgh.m4a	1	Fn

Thread 0x58c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zexl18m.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zexl18m.mp3, size = 42309, size_out = 42309	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 42309	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\F1621E5927CB75F785544EA92A665A3F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 244, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 245, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zexl18m.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\zexl18m.mp3	1	Fn

Thread 0x920

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZZFMbf.odt, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZZFMbf.odt, size = 81289, size_out = 81289	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 81289	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 20	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\8806259228B57EA824563E032B5062F0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 245, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 246, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZZFMbf.odt	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZZFMbf.odt	1	Fn

Thread 0x924

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_av9Cb6IPXGAa5C.mp4, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_av9Cb6IPXGAa5C.mp4, size = 28703, size_out = 28703	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 28703	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\85EBF6F70B9CC7A102200CB90E37ABE9.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 246, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 247, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_av9Cb6IPXGAa5C.mp4	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_av9Cb6IPXGAa5C.mp4	1	Fn

Thread 0x6f4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\4BTbVX2SL5PMNXlhJi.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\4BTbVX2SL5PMNXlhJi.m4a, size = 27436, size_out = 27436	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 27436	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\46EBDC270E18B2453D2848DF10B3968D.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 247, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 248, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\4BTbVX2SL5PMNXlhJi.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\4BTbVX2SL5PMNXlhJi.m4a	1	Fn

Thread 0x588

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\BOrtQ-gODoJ96Mp2i.pps, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\BOrtQ-gODoJ96Mp2i.pps, size = 64879, size_out = 64879	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 64879	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 42	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\83C1838C2E60DE68F9CF738530FBC2B0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 248, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 249, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\BOrtQ-gODoJ96Mp2i.pps	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\BOrtQ-gODoJ96Mp2i.pps	1	Fn

Thread 0x684

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\RH-9w1ekDlX.swf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\RH-9w1ekDlX.swf, size = 82214, size_out = 82214	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 82214	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\264E8978238A26C478B38BEE26250B0C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 249, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 250, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\RH-9w1ekDlX.swf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\RH-9w1ekDlX.swf	1	Fn

Thread 0x34c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\rvzAqm2.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\rvzAqm2.flv, size = 55140, size_out = 55140	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 55140	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\6CCF439C27C8E0021B579B862A63C44A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 250, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 251, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\rvzAqm2.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\rvzAqm2.flv	1	Fn

Thread 0x638

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TrEKohawJ.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TrEKohawJ.m4a, size = 91677, size_out = 91677	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 91677	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\B79C27C02FF18394C4F93E40328C67DC.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 251, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 252, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TrEKohawJ.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TrEKohawJ.m4a	1	Fn

Thread 0x744

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TxQmAhXtJ1.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TxQmAhXtJ1.mp3, size = 46830, size_out = 46830	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 46830	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 28	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\910A44A405CFC3CC320BF52E086AA814.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 252, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 253, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TxQmAhXtJ1.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\TxQmAhXtJ1.mp3	1	Fn

Thread 0x68c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\ySq45fyDTuTLWzePdp4.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\ySq45fyDTuTLWzePdp4.m4a, size = 23053, size_out = 23053	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 23053	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 46	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\7A0DF8C008543AF04031BD840AEF1F38.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 253, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 254, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\ySq45fyDTuTLWzePdp4.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ee7G-xHgdwJfqcsImMM\ySq45fyDTuTLWzePdp4.m4a	1	Fn

Thread 0x3bc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\5OmbcR7YDw3.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\5OmbcR7YDw3.bmp, size = 52870, size_out = 52870	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 52870	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 30	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\47B40A10111A83A88A73451213B567F0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 254, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 255, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\5OmbcR7YDw3.bmp	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\5OmbcR7YDw3.bmp	1	Fn

Thread 0x740

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\iyIk6.jpg, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\iyIk6.jpg, size = 75860, size_out = 75860	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 75860	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\4F6F3FD029568B304D8CACEB2BF16F78.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 255, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 256, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\iyIk6.jpg	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\iyIk6.jpg	1	Fn

Thread 0x3cc

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\rVKi.xlsx, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\rVKi.xlsx, size = 44179, size_out = 44179	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 44179	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\F3DB6DE6267426E7B67A0B4A290F0B2F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 256, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 257, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\rVKi.xlsx	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\rVKi.xlsx	1	Fn

Thread 0x6d8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\UcgnfCPkkGAfI8Infh.pdf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\UcgnfCPkkGAfI8Infh.pdf, size = 65857, size_out = 65857	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 65857	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\2F277C800E3D000EDE26BEC010D7E456.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 257, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 258, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\UcgnfCPkkGAfI8Infh.pdf	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\UcgnfCPkkGAfI8Infh.pdf	1	Fn

Thread 0x724

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\XiCIIZYNum_VSBs.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\XiCIIZYNum_VSBs.wav, size = 61958, size_out = 61958	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 61958	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 38	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\C85257232EB7E6DDB4D24C9F3152CB25.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 258, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 259, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\XiCIIZYNum_VSBs.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\XiCIIZYNum_VSBs.wav	1	Fn

Thread 0x660

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\ZxQsBuyh.ods, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\ZxQsBuyh.ods, size = 64539, size_out = 64539	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 64539	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 24	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\AC5C0F1C3DCF4B0220525E54406A2F4A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 259, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 260, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\ZxQsBuyh.ods	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KZ7l4KmpPgbeETV_wvF\ZxQsBuyh.ods	1	Fn

Thread 0x70c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\UzONnSwswGOnlESVfL.mp3, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\UzONnSwswGOnlESVfL.mp3, size = 42981, size_out = 42981	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 42981	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\8306832F015A14CA9B3B5FDD03F4F912.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 260, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 261, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\UzONnSwswGOnlESVfL.mp3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\UzONnSwswGOnlESVfL.mp3	1	Fn

Thread 0x6a8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\xtxVVYFEc-NWjSwclj.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\xtxVVYFEc-NWjSwclj.flv, size = 3396, size_out = 3396	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 3396	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\6F61A1B801317143207838E803DC558B.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 261, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 262, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\xtxVVYFEc-NWjSwclj.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\xtxVVYFEc-NWjSwclj.flv	1	Fn

Thread 0x77c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\zKa6.xls, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\zKa6.xls, size = 75590, size_out = 75590	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 75590	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\074B93892CEB8207FA07ADC92F86664F.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 262, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 263, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\zKa6.xls	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\zKa6.xls	1	Fn

Thread 0x6e8

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\6IAM.m4a, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\6IAM.m4a, size = 63538, size_out = 63538	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 63538	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 16	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\B71609DC2AB3B518FC7896292D5E9960.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 263, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 264, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\6IAM.m4a	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\6IAM.m4a	1	Fn

Thread 0x74c

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\7IFRA25.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\7IFRA25.gif, size = 29358, size_out = 29358	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 29358	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 22	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\C6FBBCE908271EA962BAF7FD0AC202F1.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 264, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 265, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\7IFRA25.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\7IFRA25.gif	1	Fn

Thread 0x730

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\zd0bLbxkM-mx4VZDX_.flv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\zd0bLbxkM-mx4VZDX_.flv, size = 87711, size_out = 87711	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 87711	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 44	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\A941655030ADE0983EE0D4E83348C4E0.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 265, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 266, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\zd0bLbxkM-mx4VZDX_.flv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\zd0bLbxkM-mx4VZDX_.flv	1	Fn

Thread 0x614

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8P6C FwpZ.mkv, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8P6C FwpZ.mkv, size = 11121, size_out = 11121	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 11121	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 26	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\19D6B3C6392F4722787D5AB33BCA2B6A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 266, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 267, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8P6C FwpZ.mkv	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8P6C FwpZ.mkv	1	Fn

Thread 0x6d4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8W8bO.gif, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8W8bO.gif, size = 10986, size_out = 10986	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 10986	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 18	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\ED641CAF2D7EC8F4296430333019AD3C.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 267, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 268, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8W8bO.gif	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\8W8bO.gif	1	Fn

Thread 0x6b4

(Host: 26, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\lTddMw6tEfsH.wav, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\lTddMw6tEfsH.wav, size = 86752, size_out = 86752	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7596e124	1	Fn
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 86752	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 5	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 32	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 5	1	Fn Data
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = end	1	Fn
Module	Load	module_name = Advapi32.dll, base_address = 0x75960000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7598779b	1	Fn
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 128	1	Fn Data
File	Write	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\BB5A0C7C1DC2FD429FB87666206DE18A.XZZX, size = 5	1	Fn Data
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 268, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, value_name = E1010314, data = 269, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x75cf89b3	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\lTddMw6tEfsH.wav	1	Fn
File	Delete	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ZBiOZr_ 3-6W\3Yo4kg3p-K\0zRcyBT06WYN8R-glJ0\lTddMw6tEfsH.wav	1	Fn

Thread 0x820

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, protection = PAGE_READWRITE, maximum_size = 0		1	Fn

Thread 0xecc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xed0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xed4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xed8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xedc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xee0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xee4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xee8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xeec

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\Administrator.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xef0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xef4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Desktop\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xef8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xefc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf00

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf04

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf08

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\Web Slice Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf0c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf10

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf14

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf18

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf1c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf20

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Autos.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf24

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Entertainment.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf28

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Money.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf2c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Sports.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf30

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf34

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSNBC News.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf38

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Get Windows Live.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf3c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf40

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Mail.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf44

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Windows Live\Windows Live Spaces.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf48

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf4c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\Desktop.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf54

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\Downloads.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf58

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Links\RecentPlaces.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf5c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Music\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf60

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Pictures\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf64

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Saved Games\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf68

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf6c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\Everywhere.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf70

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Searches\Indexed Locations.search-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf74

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Videos\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf7c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Desktop\Adobe Reader X.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf80

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Desktop\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf84

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Desktop\Google Chrome.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0xf88

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Public\Desktop\Mozilla Firefox.lnk, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1040

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1044

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1048

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x107c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1080

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1084

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\ntuser.dat.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1088

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x108c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x1090

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x116c

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn
Module	Create Mapping	module_name = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, filename = \\?\C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss, protection = PAGE_READWRITE, maximum_size = 0		1	Fn

Thread 0x139c

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13a0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13a4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13a8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13ac

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13b0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13b4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13b8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\ntuser.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13bc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\Administrator.contact, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13c0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Contacts\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13c4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Documents\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13c8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Downloads\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13cc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13d4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13d8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Links\Web Slice Gallery.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13dc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE Add-on site.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13e0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\IE site on Microsoft.com.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13e4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Home.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13e8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft At Work.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13ec

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\Microsoft Websites\Microsoft Store.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13f0

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Autos.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13f4

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Entertainment.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13f8

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Money.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Thread 0x13fc

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Create	filename = \\?\C:\Users\Default\Favorites\MSN Websites\MSN Sports.url, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE		1	Fn

Process #24: bce1010314.exe

(Host: 3540, Network: 0)

Information	Value
ID	#24
File Name	c:\programdata\bce1010314.exe
Command Line	"C:\ProgramData\BCE1010314.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:16, Reason: Autostart
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:03:05

OS Process Information

Information	Value
PID	0x560
Parent PID	0x45c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e620 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 564 0x 608 0x 62C 0x 658 0x 65C 0x 694 0x 6B0 0x 6C8 0x 6E0 0x 700 0x 714 0x 71C 0x 72C 0x 738 0x 754 0x 764 0x 778 0x 784

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00250fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00261fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00370000	0x003d6fff	Memory Mapped File	Readable	Region Actions
windowsshell.manifest	0x003e0000	0x003e0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00400fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000410000	0x00410000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x00730fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x01b3ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001b40000	0x01b40000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01c10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c30000	0x01c30000	0x01c6ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01c70000	0x01cabfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cb0000	0x01cb0000	0x01cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001cd0000	0x01cd0000	0x01daefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01df0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e10000	0x01e10000	0x01e10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e20000	0x01e20000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001e60000	0x01e60000	0x02252fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002260000	0x02260000	0x023dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002260000	0x02260000	0x0229ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022a0000	0x022a0000	0x022a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022b0000	0x022b0000	0x022b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x022c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022d0000	0x022d0000	0x02397fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000023a0000	0x023a0000	0x023dffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x023e0000	0x026aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000026b0000	0x026b0000	0x027affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027b0000	0x027b0000	0x028affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028b0000	0x028b0000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02aaffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02ab0000	0x02b6ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c70000	0x02c70000	0x02d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d70000	0x02d70000	0x02daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002db0000	0x02db0000	0x02eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002eb0000	0x02eb0000	0x02eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ef0000	0x02ef0000	0x02feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ff0000	0x02ff0000	0x0302ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003030000	0x03030000	0x0312ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003130000	0x03130000	0x0316ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003170000	0x03170000	0x0326ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003270000	0x03270000	0x032affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032b0000	0x032b0000	0x033affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033b0000	0x033b0000	0x033effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033f0000	0x033f0000	0x034effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034f0000	0x034f0000	0x0352ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003530000	0x03530000	0x0362ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003630000	0x03630000	0x0366ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003670000	0x03670000	0x0376ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003770000	0x03770000	0x03770fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003780000	0x03780000	0x037bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000037c0000	0x037c0000	0x038bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000038c0000	0x038c0000	0x038c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000038d0000	0x038d0000	0x0390ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003910000	0x03910000	0x03a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003a10000	0x03a10000	0x03a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003a50000	0x03a50000	0x03b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b50000	0x03b50000	0x03b50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b60000	0x03b60000	0x03b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ba0000	0x03ba0000	0x03c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ca0000	0x03ca0000	0x03ca0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003cb0000	0x03cb0000	0x03cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003cc0000	0x03cc0000	0x03cc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003cd0000	0x03cd0000	0x03cd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ce0000	0x03ce0000	0x03ce0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003cf0000	0x03cf0000	0x03cf0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d00000	0x03d00000	0x03d00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d10000	0x03d10000	0x03d10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d20000	0x03d20000	0x03d20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d30000	0x03d30000	0x03d30fff	Private Memory	Readable, Writable	Region Actions
bce1010314.exe	0x55820000	0x5585bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x729a0000	0x729a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pdh.dll	0x729b0000	0x729ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x729f0000	0x72a73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x731a0000	0x731a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x731b0000	0x731c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x731f0000	0x7326ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73270000	0x7340dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73410000	0x73417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73420000	0x7347bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73480000	0x734befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x74970000	0x7497dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74980000	0x749bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x749c0000	0x749d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x749f0000	0x749fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74a00000	0x74a5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74a60000	0x74abffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74ad0000	0x74b5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x74b90000	0x74c0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x74c10000	0x74c36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74c40000	0x74c85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x74c90000	0x74ca1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74cb0000	0x758f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75960000	0x759fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75a90000	0x75b12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75c50000	0x75cdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75ce0000	0x75deffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75df0000	0x75e46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75e50000	0x75eecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76280000	0x7632bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x764abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x765affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x766f0000	0x767bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x767c0000	0x767c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x767d0000	0x768bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x768c0000	0x76a5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076aa0000	0x76aa0000	0x76bbefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076bc0000	0x76bc0000	0x76cb9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76cc0000	0x76e68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76ea0000	0x7701ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 61 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x564

(Host: 3536, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-14 19:03:07 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 16348	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75cf4f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75cf1252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75cf4208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75cf359f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75ce0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x75cf4a2d	1	Fn
Window	Set Attribute	index = 18446744073709551612, new_long = 0	1	Fn
COM	Create	interface = 00000112-0000-0000-C000-000000000046, cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Debug	Print	process_name = c:\programdata\bce1010314.exe, type = DEBUG_STRING, text = Class not registered	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Filename	process_name = c:\programdata\bce1010314.exe, file_name_orig = C:\ProgramData\BCE1010314.exe, size = 260	1	Fn
File	Delete	filename = 0	1	Fn
Module	Get Handle	module_name = c:\programdata\bce1010314.exe, base_address = 0x55820000	1	Fn
Window	Create	window_name = Press, class_name = BUTTON, wndproc_parameter = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer	1	Fn
System	Get Info	type = Operating System	1	Fn
For performance reasons, the remaining 1536 entries are omitted. The remaining entries can be found in glog.xml.

Process #25: notepad.exe

Information	Value
ID	#25
File Name	c:\windows\syswow64\notepad.exe
Command Line	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_HELP_INSTRUCTION.TXT
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:45, Reason: Child Process
Unmonitor	End Time: 00:04:21, Reason: Terminated by Timeout
Monitor Duration	00:00:36
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x1030
Parent PID	0x54c (c:\programdata\bce1010314.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e620 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 1034

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
notepad.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
msctf.dll.mui	0x00130000	0x00130fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x005defff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000660000	0x00660000	0x0066ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000670000	0x00670000	0x007f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x00980fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000aa0000	0x00aa0000	0x00adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00baffff	Private Memory	Readable, Writable	Region Actions
notepad.exe	0x00e10000	0x00e3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e40000	0x00e40000	0x0223ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02240000	0x02b6ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002b70000	0x02b70000	0x02f62fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02f70000	0x0323efff	Memory Mapped File	Readable	Region Actions
uxtheme.dll	0x731f0000	0x7326ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73270000	0x7340dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73410000	0x73417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73420000	0x7347bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73480000	0x734befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x746f0000	0x74740fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74850000	0x74862fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74870000	0x74878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x749f0000	0x749fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74a00000	0x74a5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74a60000	0x74abffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x74ad0000	0x74b5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x74b90000	0x74c0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74c40000	0x74c85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74cb0000	0x758f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75960000	0x759fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75a90000	0x75b12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75c50000	0x75cdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75ce0000	0x75deffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75df0000	0x75e46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75e50000	0x75eecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76280000	0x7632bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x764abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x765affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x766f0000	0x767bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x767c0000	0x767c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x767d0000	0x768bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076aa0000	0x76aa0000	0x76bbefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076bc0000	0x76bc0000	0x76cb9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76cc0000	0x76e68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76ea0000	0x7701ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions